| Message ID | ba8724d10da0f7545e5b91d1540a984c2b398a6a.1634884487.git.lucien.xin@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | security: fixups for the security hooks in sctp | expand |
On Fri, Oct 22, 2021 at 8:36 AM Xin Long <lucien.xin@gmail.com> wrote: > The asoc created when receives the INIT chunk is a temporary one, it > will be delete after INIT_ACK chunk is replied. So for the real asoc Nit: s/delete/deleted/ > created in sctp_sf_do_5_1D_ce() when receives the COOKIE_ECHO chunk, Nit: s/receives the COOKIE_ECHO chunk/the COOKIE_ECHO chunk is received/ > security_sctp_assoc_request() should also be called. > > Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") > Reported-by: Prashanth Prahlad <pprahlad@redhat.com> > Signed-off-by: Xin Long <lucien.xin@gmail.com> > --- > Documentation/security/SCTP.rst | 15 +++++++++------ > net/sctp/sm_statefuns.c | 5 +++++ > 2 files changed, 14 insertions(+), 6 deletions(-) > > diff --git a/Documentation/security/SCTP.rst b/Documentation/security/SCTP.rst > index 415b548d9ce0..9a38067762e5 100644 > --- a/Documentation/security/SCTP.rst > +++ b/Documentation/security/SCTP.rst > @@ -151,9 +151,9 @@ establishing an association. > INIT ---------------------------------------------> > sctp_sf_do_5_1B_init() > Respond to an INIT chunk. > - SCTP peer endpoint "A" is > - asking for an association. Call > - security_sctp_assoc_request() > + SCTP peer endpoint "A" is asking > + for an temporary association. Nit: s/an/a/ > + Call security_sctp_assoc_request() > to set the peer label if first > association. > If not first association, check > @@ -163,9 +163,12 @@ establishing an association. > | discard the packet. > | > COOKIE ECHO ------------------------------------------> > - | > - | > - | > + sctp_sf_do_5_1D_ce() > + Respond to an COOKIE ECHO chunk. > + Confirm the cookie and create an Nit: s/an/a/ > + permanent association. > + Call security_sctp_assoc_request() to > + do the same as for INIT chunk Response. > <------------------------------------------- COOKIE ACK > | | > sctp_sf_do_5_1E_ca | > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index 3206374209bc..b818532c3fc2 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -781,6 +781,11 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, > } > } > > + if (security_sctp_assoc_request(new_asoc, chunk->skb)) { > + sctp_association_free(new_asoc); > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); > + } > + > /* Delay state machine commands until later. > * > * Re-build the bind address for the association is done in > -- > 2.27.0 > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
diff --git a/Documentation/security/SCTP.rst b/Documentation/security/SCTP.rst index 415b548d9ce0..9a38067762e5 100644 --- a/Documentation/security/SCTP.rst +++ b/Documentation/security/SCTP.rst @@ -151,9 +151,9 @@ establishing an association. INIT ---------------------------------------------> sctp_sf_do_5_1B_init() Respond to an INIT chunk. - SCTP peer endpoint "A" is - asking for an association. Call - security_sctp_assoc_request() + SCTP peer endpoint "A" is asking + for an temporary association. + Call security_sctp_assoc_request() to set the peer label if first association. If not first association, check @@ -163,9 +163,12 @@ establishing an association. | discard the packet. | COOKIE ECHO ------------------------------------------> - | - | - | + sctp_sf_do_5_1D_ce() + Respond to an COOKIE ECHO chunk. + Confirm the cookie and create an + permanent association. + Call security_sctp_assoc_request() to + do the same as for INIT chunk Response. <------------------------------------------- COOKIE ACK | | sctp_sf_do_5_1E_ca | diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 3206374209bc..b818532c3fc2 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -781,6 +781,11 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, } } + if (security_sctp_assoc_request(new_asoc, chunk->skb)) { + sctp_association_free(new_asoc); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } + /* Delay state machine commands until later. * * Re-build the bind address for the association is done in
The asoc created when receives the INIT chunk is a temporary one, it will be delete after INIT_ACK chunk is replied. So for the real asoc created in sctp_sf_do_5_1D_ce() when receives the COOKIE_ECHO chunk, security_sctp_assoc_request() should also be called. Fixes: 72e89f50084c ("security: Add support for SCTP security hooks") Reported-by: Prashanth Prahlad <pprahlad@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- Documentation/security/SCTP.rst | 15 +++++++++------ net/sctp/sm_statefuns.c | 5 +++++ 2 files changed, 14 insertions(+), 6 deletions(-)