[net,5/7] sctp: add vtag check in sctp_sf_violation

Message ID	5be6dfdbfa3b618e169c5d03e2b1109310ac5938.1634730082.git.lucien.xin@gmail.com (mailing list archive)
State	Accepted
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Xin Long <lucien.xin@gmail.com> To: network dev <netdev@vger.kernel.org>, davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>, michael.tuexen@lurchi.franken.de Subject: [PATCH net 5/7] sctp: add vtag check in sctp_sf_violation Date: Wed, 20 Oct 2021 07:42:45 -0400 Message-Id: <5be6dfdbfa3b618e169c5d03e2b1109310ac5938.1634730082.git.lucien.xin@gmail.com> In-Reply-To: <cover.1634730082.git.lucien.xin@gmail.com> References: <cover.1634730082.git.lucien.xin@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	sctp: enhancements for the verification tag \| expand [net,0/7] sctp: enhancements for the verification tag [net,1/7] sctp: use init_tag from inithdr for ABORT chunk [net,2/7] sctp: fix the processing for INIT chunk [net,3/7] sctp: fix the processing for INIT_ACK chunk [net,4/7] sctp: fix the processing for COOKIE_ECHO chunk [net,5/7] sctp: add vtag check in sctp_sf_violation [net,6/7] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa [net,7/7] sctp: add vtag check in sctp_sf_ootb

Message ID

5be6dfdbfa3b618e169c5d03e2b1109310ac5938.1634730082.git.lucien.xin@gmail.com (mailing list archive)

State

Accepted

Delegated to:

Netdev Maintainers

Headers

From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>, davem@davemloft.net,
        kuba@kernel.org, linux-sctp@vger.kernel.org
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        michael.tuexen@lurchi.franken.de
Subject: [PATCH net 5/7] sctp: add vtag check in sctp_sf_violation
Date: Wed, 20 Oct 2021 07:42:45 -0400
Message-Id: 
 <5be6dfdbfa3b618e169c5d03e2b1109310ac5938.1634730082.git.lucien.xin@gmail.com>
In-Reply-To: <cover.1634730082.git.lucien.xin@gmail.com>
References: <cover.1634730082.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

sctp: enhancements for the verification tag | expand

Context	Check	Description
netdev/cover_letter	success	Series has a cover letter
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/patch_count	success	Link
netdev/tree_selection	success	Clearly marked for net
netdev/subject_prefix	success	Link
netdev/cc_maintainers	warning	2 maintainers not CCed: nhorman@tuxdriver.com vyasevich@gmail.com
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Fixes tag looks correct
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/header_inline	success	No static functions without inline keyword in header files

Context

Check

Description

netdev/cover_letter

success

Series has a cover letter

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/patch_count

success

Link

netdev/tree_selection

success

Clearly marked for net

netdev/subject_prefix

success

Link

netdev/cc_maintainers

warning

2 maintainers not CCed: nhorman@tuxdriver.com vyasevich@gmail.com

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

success

Fixes tag looks correct

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 9 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/header_inline

success

No static functions without inline keyword in header files

Commit Message

Xin Long Oct. 20, 2021, 11:42 a.m. UTC

sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
in cookie_wait state, and some other places are also using it.

The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/sm_statefuns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 96a069d725e9..36328ab88bdd 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4669,6 +4669,9 @@  enum sctp_disposition sctp_sf_violation(struct net *net,
 {
 	struct sctp_chunk *chunk = arg;
 
+	if (!sctp_vtag_verify(chunk, asoc))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
 	/* Make sure that the chunk has a valid length. */
 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

[net,5/7] sctp: add vtag check in sctp_sf_violation

Checks

Commit Message

Patch