From patchwork Wed Oct 20 11:42:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572145 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA662C433FE for ; Wed, 20 Oct 2021 11:42:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9481B61354 for ; Wed, 20 Oct 2021 11:42:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230173AbhJTLpI (ORCPT ); Wed, 20 Oct 2021 07:45:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229952AbhJTLpI (ORCPT ); Wed, 20 Oct 2021 07:45:08 -0400 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF76BC06161C; Wed, 20 Oct 2021 04:42:53 -0700 (PDT) Received: by mail-wm1-x32a.google.com with SMTP id o24so10883175wms.0; Wed, 20 Oct 2021 04:42:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VwHJhYODjs1JSakaHf2SUd7FFDGYoerS9uZirIeSeZA=; b=XL6TcxdzCHgzWt635ibKqiwgHKJJfEf/xzN4qReUVE6u0dsDDFfDFvk1aUOXzVfwvG Y72b+L3Rz8HGFPD14o20q+A3kfYa8qaZJ+iikukZyBnbFLSU0lvn2JpqUtiysDsQmRmy aWAtypA1f6k0JS25RsbYD1qWqrivAdCQvvhWdWlVXcHhrlgX91TWLyfhMqaWQ4/HESRU jpTvLg3/4AwKH1CvS4j14yA/NQ+btx4vN8hDV/Z8yypGn8u+z6rig2Cu+ZffHiDvG20o GdCNGkeBsryItAEfLnJqa8O6KvFS2ewEXz4pDBIu7WG3qPErAoP7HHz4fOaNxHzYpZ7R X87A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VwHJhYODjs1JSakaHf2SUd7FFDGYoerS9uZirIeSeZA=; b=jXyHlIolTwcgq5lQZCxO07AxVF9H2YkDpLxnCcHCS9Z9GAiUuaQJn5jeoik+sd7YGY uaKfRhTvSGmWMIyADx/qVfemQ7OG+QOEHiPLtDODmF4xgIRS7lBpsyJ9aKanL8tyE08S IOZy23BRDY5ewOF1GzeeAV9vkLj1nEWzgoXjOH67yzZUpBOgZjC0cZHiX9mOUE1a4SLs 0PCjZnsp5WruTFgKAUeZADp/HUiLs2wMs0HpOyJcsY2FQRgjgR1MgINQFm4xNLfItps1 /2j2c/cDtyL3fMc3IbkLm/j8AaiV0gD73MHhtrSMYu531VBlTx7xrlcphjPeDCOwYnw+ OZuw== X-Gm-Message-State: AOAM530aw9wEUmZ2Cj47RprQy0fxJ8WLPcWVsLd96iNdc300VNnmXCYZ dRhp7d5iIThHTWjw3IhLcGjpDt7xZwi7ZQ== X-Google-Smtp-Source: ABdhPJyuw2w6Z7MFDaSvdNxk8Ec8Y879r3oYhqzANIdSZDhPQUmhaKtwGUTIUUo5aJDscUx7hrAvkg== X-Received: by 2002:a1c:3b06:: with SMTP id i6mr13134171wma.172.1634730172188; Wed, 20 Oct 2021 04:42:52 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:42:51 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 1/7] sctp: use init_tag from inithdr for ABORT chunk Date: Wed, 20 Oct 2021 07:42:41 -0400 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently Linux SCTP uses the verification tag of the existing SCTP asoc when failing to process and sending the packet with the ABORT chunk. This will result in the peer accepting the ABORT chunk and removing the SCTP asoc. One could exploit this to terminate a SCTP asoc. This patch is to fix it by always using the initiate tag of the received INIT chunk for the ABORT chunk to be sent. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 32df65f68c12..7f8306968c39 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -6348,6 +6348,7 @@ static struct sctp_packet *sctp_ootb_pkt_new( * yet. */ switch (chunk->chunk_hdr->type) { + case SCTP_CID_INIT: case SCTP_CID_INIT_ACK: { struct sctp_initack_chunk *initack; From patchwork Wed Oct 20 11:42:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572147 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4756C433FE for ; Wed, 20 Oct 2021 11:42:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A8A2061130 for ; Wed, 20 Oct 2021 11:42:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230174AbhJTLpK (ORCPT ); Wed, 20 Oct 2021 07:45:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229952AbhJTLpJ (ORCPT ); Wed, 20 Oct 2021 07:45:09 -0400 Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16BA5C06161C; Wed, 20 Oct 2021 04:42:55 -0700 (PDT) Received: by mail-wm1-x335.google.com with SMTP id o24-20020a05600c511800b0030d9da600aeso9508354wms.4; Wed, 20 Oct 2021 04:42:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RUzAxMDByVqj5wFl9X8KfWxxe76Bsmq66lTbyCt/YlA=; b=M1/eRBtVpgMFMHSDP9nrUH2RA5+OGKRtNPtslkFtPgYRrH5WyXEt3LU3707UiuiFXD NzAvU4IqXA/9bEahyYywWln567A+4x2RjbI/cad5VCLKM8953IIr5UDwyOOuk31Geu+d vPNdjM91QU96ah0o4m/7tZACAoiVGGEg0rk3om/pvqkpbqyk/KtfOsHWfkgAfUaOVxix HcjHTN8Iz/3Wb2v4FKFyctg+QS3RYE4fnNtlbeVGtcmuaWP266oB4Dud18twi65WweMe 3Fp3mbqKhyHX0m3xlTpMLVA9Cz0Dqos7QFobIORkvOzFZFKvC4qRkq9JXrZScjnopW41 kE7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RUzAxMDByVqj5wFl9X8KfWxxe76Bsmq66lTbyCt/YlA=; b=5baKKDFvaFRpOb6pBOJr7BZxtOqnrFE1TWfnMgpbnwc1k2WhDUE9P/ePIPEGyuLdge XgBXSlKfMPjkd94tqk4FcKS1sQZ20u0xpKHVjBW2LV4VS+AakzX8OQqMlrCo7ZGh1ZDn 3E8D+ntBz/TMe85mgbwaf9XGfENLHL890OpLEvltM4uun8z5yu2T4n35m2qa0mUZcPIN jZeU5jlNaTTPzEUMRB3rUC287UPuWHbIIERCxbg2bUffMClzB8GrTVGuLTYkupaSAD+n P0ysI398UC2+kYlekVzcqkro6dAF9yvELxR7CysD2UI403PmCutmI7ZvEp5NtxWza26u 6Fag== X-Gm-Message-State: AOAM531ECHi09Ps/HyrgEC0rJZfou6l6e6CvCjiVxGX90/bqcgRPiQRQ pVgNbHjOWF1OseMF5z3HvaZCDkupLlUPuA== X-Google-Smtp-Source: ABdhPJyYlJYRSqZIrc60ZakiFK9gPm8XEuUMV+s+Y0JUjAZd42MgBDX57PN5fBWYAOks5FHk1mYLoQ== X-Received: by 2002:a05:600c:21c4:: with SMTP id x4mr13164248wmj.111.1634730173522; Wed, 20 Oct 2021 04:42:53 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:42:53 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 2/7] sctp: fix the processing for INIT chunk Date: Wed, 20 Oct 2021 07:42:42 -0400 Message-Id: <1ce1168433f146de7aa03dbb27601b949ad8354e.1634730082.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org This patch fixes the problems below: 1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and sctp_sf_do_5_2_2_dupinit(): chunk length check should be done before any checks that may cause to send abort, as making packet for abort will access the init_tag from init_hdr in sctp_ootb_pkt_new(). 2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack(): The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed for sctp_sf_do_9_2_reshutack(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 72 ++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 26 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 7f8306968c39..9bfa8cca9974 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -156,6 +156,12 @@ static enum sctp_disposition __sctp_sf_do_9_1_abort( void *arg, struct sctp_cmd_seq *commands); +static enum sctp_disposition +__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const union sctp_subtype type, void *arg, + struct sctp_cmd_seq *commands); + /* Small helper function that checks if the chunk length * is of the appropriate length. The 'required_length' argument * is set to be the size of a specific chunk we are testing. @@ -337,6 +343,14 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, if (!chunk->singleton) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the INIT chunk has a valid length. + * Normally, this would cause an ABORT with a Protocol Violation + * error, but since we don't have an association, we'll + * just discard the packet. + */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* If the packet is an OOTB packet which is temporarily on the * control endpoint, respond with an ABORT. */ @@ -351,14 +365,6 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, if (chunk->sctp_hdr->vtag != 0) return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); - /* Make sure that the INIT chunk has a valid length. - * Normally, this would cause an ABORT with a Protocol Violation - * error, but since we don't have an association, we'll - * just discard the packet. - */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) - return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); - /* If the INIT is coming toward a closing socket, we'll send back * and ABORT. Essentially, this catches the race of INIT being * backloged to the socket at the same time as the user issues close(). @@ -1524,20 +1530,16 @@ static enum sctp_disposition sctp_sf_do_unexpected_init( if (!chunk->singleton) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the INIT chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 3.1 A packet containing an INIT chunk MUST have a zero Verification * Tag. */ if (chunk->sctp_hdr->vtag != 0) return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); - /* Make sure that the INIT chunk has a valid length. - * In this case, we generate a protocol violation since we have - * an association established. - */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); - if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port) return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands); @@ -1882,9 +1884,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( * its peer. */ if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { - disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, - SCTP_ST_CHUNK(chunk->chunk_hdr->type), - chunk, commands); + disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, + SCTP_ST_CHUNK(chunk->chunk_hdr->type), + chunk, commands); if (SCTP_DISPOSITION_NOMEM == disposition) goto nomem; @@ -2970,13 +2972,11 @@ enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( * that belong to this association, it should discard the INIT chunk and * retransmit the SHUTDOWN ACK chunk. */ -enum sctp_disposition sctp_sf_do_9_2_reshutack( - struct net *net, - const struct sctp_endpoint *ep, - const struct sctp_association *asoc, - const union sctp_subtype type, - void *arg, - struct sctp_cmd_seq *commands) +static enum sctp_disposition +__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const union sctp_subtype type, void *arg, + struct sctp_cmd_seq *commands) { struct sctp_chunk *chunk = arg; struct sctp_chunk *reply; @@ -3010,6 +3010,26 @@ enum sctp_disposition sctp_sf_do_9_2_reshutack( return SCTP_DISPOSITION_NOMEM; } +enum sctp_disposition +sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const union sctp_subtype type, void *arg, + struct sctp_cmd_seq *commands) +{ + struct sctp_chunk *chunk = arg; + + if (!chunk->singleton) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (chunk->sctp_hdr->vtag != 0) + return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); + + return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); +} + /* * sctp_sf_do_ecn_cwr * From patchwork Wed Oct 20 11:42:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572149 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80C5FC4332F for ; Wed, 20 Oct 2021 11:43:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B2C161354 for ; Wed, 20 Oct 2021 11:43:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230201AbhJTLpM (ORCPT ); Wed, 20 Oct 2021 07:45:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230190AbhJTLpL (ORCPT ); Wed, 20 Oct 2021 07:45:11 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F7ADC061746; Wed, 20 Oct 2021 04:42:56 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id g79-20020a1c2052000000b00323023159e1so957862wmg.2; Wed, 20 Oct 2021 04:42:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fUqvamQ7yXDdckb8kSICmUsU3zgXD0tC1WwsygvPs7s=; b=ji+aM5ulvLCjf1w4de+bfrwZvQsAtAkkmLqtHhrrEMdDJI/56zaBVdh9fahuDaxbe0 5nIpYaifCHKjb6pcMKdERAfKxenN+50Hsh7icACFGkfJmpnr+JCdYg8isz9mDy7kd/6p OkeRiJTFYxRP56CU4gFoJepcF9Nu5i9PHIe2Ir8DDKKqkpi6osQKD++iWG07fSXVTw1z 0LwblyoasEDWz5B78MrRtcnLuPv2l6/F8qt+/rqp6rKUQ1qU7g/JNeZdlBPxmGAEHLwD DW5atF7JsaekiUNdB/krJ969xRIHFmfI/+EdzXdFEuZDmYjw5VYMoIDNW7Oy6ixZz1ci XExA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fUqvamQ7yXDdckb8kSICmUsU3zgXD0tC1WwsygvPs7s=; b=Il84XURDe1tGUAHP/RqI8rHsBNqhdhHImd57YFBSW7IZ3JPgcPLntF2vwPPBEfAvxc Uq/iHiuHWVpPnMGWg+0zW+nByCQYCRzf01a5z2RMXFXNieR/6IWzMaA9O/N6ljzQWdBA NoziSCNpoqN9WQ0gXzlJ9+gtfRqDw2Zwu4UJ/H6kokG6jyG7K2/5IyCeQcdk62gV9vOB 1KP6GJby9dLipWY1nBMU+4smDHPwBbK1TQiAHYT6CyWAxHGIChon45HEC9n/AJ2cISMD Lh7W0HPtGN98dFSqJ5r5kHwkCsqtiINldSjCZsn3Ao54gO8WTJpsbPgRce6THw5ttnUS AYHg== X-Gm-Message-State: AOAM531NEGVIwcyL2rmZAV8bh2DEAzGLBzYLPYYJCQy8IRYD03CF6CJS 8iaUnZ4iCzL86dzBYIOLfqS2zh0jgD2+3g== X-Google-Smtp-Source: ABdhPJw4y3/dC3RnOxzzkqPeZPuSvM+JVW913jByYCanjhLLaadEItLmR+L9bZIKFyvrwoi9s5W4Bg== X-Received: by 2002:a05:600c:ac1:: with SMTP id c1mr12833085wmr.99.1634730174849; Wed, 20 Oct 2021 04:42:54 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:42:54 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 3/7] sctp: fix the processing for INIT_ACK chunk Date: Wed, 20 Oct 2021 07:42:43 -0400 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently INIT_ACK chunk in non-cookie_echoed state is processed in sctp_sf_discard_chunk() to send an abort with the existent asoc's vtag if the chunk length is not valid. But the vtag in the chunk's sctphdr is not verified, which may be exploited by one to cook a malicious chunk to terminal a SCTP asoc. sctp_sf_discard_chunk() also is called in many other places to send an abort, and most of those have this problem. This patch is to fix it by sending abort with the existent asoc's vtag only if the vtag from the chunk's sctphdr is verified in sctp_sf_discard_chunk(). Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(), the chunk length has been verified before sctp_sf_discard_chunk(), so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of sctp_sf_discard_chunk(), then replace it with sctp_sf_discard(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 9bfa8cca9974..672e5308839b 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -2343,7 +2343,7 @@ enum sctp_disposition sctp_sf_shutdown_pending_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -2389,7 +2389,7 @@ enum sctp_disposition sctp_sf_shutdown_sent_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -2659,7 +2659,7 @@ enum sctp_disposition sctp_sf_do_9_1_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -3865,6 +3865,11 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); } + /* Make sure that the ASCONF ADDIP chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* ADD-IP: Section 4.1.1 * This chunk MUST be sent in an authenticated way by using * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk @@ -3873,13 +3878,7 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, */ if (!asoc->peer.asconf_capable || (!net->sctp.addip_noauth && !chunk->auth)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, - commands); - - /* Make sure that the ASCONF ADDIP chunk has a valid length. */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); hdr = (struct sctp_addiphdr *)chunk->skb->data; serial = ntohl(hdr->serial); @@ -4008,6 +4007,12 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); } + /* Make sure that the ADDIP chunk has a valid length. */ + if (!sctp_chunk_length_valid(asconf_ack, + sizeof(struct sctp_addip_chunk))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* ADD-IP, Section 4.1.2: * This chunk MUST be sent in an authenticated way by using * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk @@ -4016,14 +4021,7 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, */ if (!asoc->peer.asconf_capable || (!net->sctp.addip_noauth && !asconf_ack->auth)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, - commands); - - /* Make sure that the ADDIP chunk has a valid length. */ - if (!sctp_chunk_length_valid(asconf_ack, - sizeof(struct sctp_addip_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; rcvd_serial = ntohl(addip_hdr->serial); @@ -4595,6 +4593,9 @@ enum sctp_disposition sctp_sf_discard_chunk(struct net *net, { struct sctp_chunk *chunk = arg; + if (asoc && !sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the chunk has a valid length. * Since we don't know the chunk type, we use a general * chunkhdr structure to make a comparison. From patchwork Wed Oct 20 11:42:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572165 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26AEFC43219 for ; Wed, 20 Oct 2021 11:43:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 137E7601FC for ; Wed, 20 Oct 2021 11:43:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230221AbhJTLpO (ORCPT ); Wed, 20 Oct 2021 07:45:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230216AbhJTLpM (ORCPT ); Wed, 20 Oct 2021 07:45:12 -0400 Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9696C06161C; Wed, 20 Oct 2021 04:42:57 -0700 (PDT) Received: by mail-wm1-x329.google.com with SMTP id o24so10883576wms.0; Wed, 20 Oct 2021 04:42:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BVbj6TaOsr4rxLwKq9bcR93AYWU6cVnnmfHGXV7O8mI=; b=BwdErdW5t6kkTAQm130ei717SRvHJSElJkgMdzaQnRGItGJDI8nH6szPgz7Lh4H8wf +i1v9401CrCC0cPyyz6B463pEmerv70tsBCNmGjHbTWNqu5HXTjHcYv9NOshz1HXHaBC tVaJcjs8e7iVqbtTQfKbcAbjfvc3Z+xvWsbuBhkfMKtggNileTc4+r5Pcnb8QPH8Xwbk CLqA434oABkpTLtCzGQ9PtY58poKpIDs/oo2/kq+lVXBSuijVrBIGuiUtbOLHgwqT2PH 6zOKIw1w2KYR8+2TtwxRsyfCuzb7phnhWeFH0bVJZ3EzPnTmue/oILgV8qL+qT31CPfQ A8tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BVbj6TaOsr4rxLwKq9bcR93AYWU6cVnnmfHGXV7O8mI=; b=uopOEF50bEj+0PUaVjkPP/auCCcbKrZ+5FIGz5MUoaSCk7emmyD+WaLMP/JmafQF/w 4mOk6zgLW95Eyffhxx9AxOPiL9u96sFAJ/nQccPql3voT6yGo3RuojNMCygF5rJUco/w X+2JUh3wcS2E/A1ZVLCqPuT10y/h7+wvK4VoNXYNPPZijoA9OKVf0KgDQ3XAsFCy8Oa/ sagMJ3nvfjFG+lAX11g2hRv8WnloyWTO1y7vwzdvkwP4+k+rlFf1OLjw7r4//xdTb32w Kgzewx9DsNeIETor8Rovenf0DVOJtn36nyypiu69eN4+84v1nYnsJR/WKBRtReP1+L6B 1fzg== X-Gm-Message-State: AOAM530DuCh7se0tkb6opPph82yax+cwU/2axYOyauxLnverstgk7U2U SF7aE8vgURfOUBTmnb+GG17UU35kJ0wkuA== X-Google-Smtp-Source: ABdhPJyTv34ggSvPyNAGR++FJKvpkbgn8ai/AC3byvunIQ1sN/AHmLtjc7lrHvzpnvA3U0bwXcz2AA== X-Received: by 2002:a1c:f213:: with SMTP id s19mr12944016wmc.169.1634730176247; Wed, 20 Oct 2021 04:42:56 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:42:56 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 4/7] sctp: fix the processing for COOKIE_ECHO chunk Date: Wed, 20 Oct 2021 07:42:44 -0400 Message-Id: <98522f9dfeafa25682b9ce55a93e1503287b2868.1634730082.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org 1. In closed state: in sctp_sf_do_5_1D_ce(): When asoc is NULL, making packet for abort will use chunk's vtag in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk should be verified before using peer.i.init_tag to make packet for abort in sctp_ootb_pkt_new(), and just discard it if vtag is not correct. 2. In the other states: in sctp_sf_do_5_2_4_dupcook(): asoc always exists, but duplicate cookie_echo's vtag will be handled by sctp_tietags_compare() and then take actions, so before that we only verify the vtag for the abort sent for invalid chunk length. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 672e5308839b..96a069d725e9 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -710,6 +710,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, struct sock *sk; int error = 0; + if (asoc && !sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* If the packet is an OOTB packet which is temporarily on the * control endpoint, respond with an ABORT. */ @@ -724,7 +727,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, * in sctp_unpack_cookie(). */ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) - return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); /* If the endpoint is not listening or if the number of associations * on the TCP-style socket exceed the max backlog, respond with an @@ -2204,9 +2208,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( * enough for the chunk header. Cookie length verification is * done later. */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { + if (!sctp_vtag_verify(chunk, asoc)) + asoc = NULL; + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); + } /* "Decode" the chunk. We have no optional parameters so we * are in good shape. From patchwork Wed Oct 20 11:42:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572167 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8EC4C433EF for ; Wed, 20 Oct 2021 11:43:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9593961355 for ; Wed, 20 Oct 2021 11:43:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230233AbhJTLpP (ORCPT ); Wed, 20 Oct 2021 07:45:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230178AbhJTLpN (ORCPT ); Wed, 20 Oct 2021 07:45:13 -0400 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 229EAC061746; Wed, 20 Oct 2021 04:42:59 -0700 (PDT) Received: by mail-wm1-x32d.google.com with SMTP id g39so14156488wmp.3; Wed, 20 Oct 2021 04:42:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IXvZic7J5UVbC5NJ3J815qijKl0xuXYlhVBJSyylDdQ=; b=MZ+QuCcPRCK43VlV3cNS0QsSG2dkXBZO4Zbs+dvESJMJPD7rXQQVKvEVhBAVKuO+Sp NTKouYtroven11ysf+njosRWyasHD/CV2vXip0OzCTyfCvB5vtScHjW/uEP2BNywvg/B FS2fTStfXqzykGtLP/vQwyMArVjDgVrCpMX73IWkSlDrGFua+tEbedxrmnn40+qAvAHu ysk+wpFeNb5OybeTsX7S26QXQYR0CaetyzNhty+APVJduKwCnMyZW3a9U2ESKNH2SHm5 LopJThaeyvKWccNNq6NPoGqVb0P3QQenmN7svtAlVpNL0k8W6ILDjXsbWouyG6WFfefv gM1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IXvZic7J5UVbC5NJ3J815qijKl0xuXYlhVBJSyylDdQ=; b=U/5huPDcXvhG+F50XdaY7wKBGsRjHTA6hQW54RQRlJKbq2ex4RW1gEYq/A2oSSDr09 W/rPhoUhupDqWr/iwv8b93wnDEOr2dF0ih/w6MevjT7rtRhOobgECtXHgSm+ex38SaOK dg0pA+jBOVZtsPKs5QzQQ4EQEZ29wSlQbqWjX8OFdFSFtAXF6sBINTKGBYJtIGt3Bnek X4Lj3ZUfiKvqjtSUorYVZrT4U4SoNPPndC4INSnevwiHXWOfIZWAc4Y+1XuZqpaYb1Dl Lq/6J/k1zlTXMomdMWFS0bvU/fOpQLec++y0VPx2Rvl6uYTBRaKfNSkASecQetOT3vTT VPYQ== X-Gm-Message-State: AOAM530gjMk2ox9T17ZrRIbwPr9fHNIBMQ+gmCSJEYnoKNFeWa7Nd2C9 BbDahychMKA93E+JintDipxJ9ZZRnKvQAA== X-Google-Smtp-Source: ABdhPJx5WnQoT9hj5Gx/8wzVmUiaEQ0UPftmgRh0OeJPF8HbcT05TMPBTFMV1lcrdTKoE4hvZAt/qg== X-Received: by 2002:a1c:5417:: with SMTP id i23mr12877043wmb.17.1634730177630; Wed, 20 Oct 2021 04:42:57 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:42:57 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 5/7] sctp: add vtag check in sctp_sf_violation Date: Wed, 20 Oct 2021 07:42:45 -0400 Message-Id: <5be6dfdbfa3b618e169c5d03e2b1109310ac5938.1634730082.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk in cookie_wait state, and some other places are also using it. The vtag in the chunk's sctphdr should be verified, otherwise, as later in chunk length check, it may send abort with the existent asoc's vtag, which can be exploited by one to cook a malicious chunk to terminate a SCTP asoc. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 96a069d725e9..36328ab88bdd 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -4669,6 +4669,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, { struct sctp_chunk *chunk = arg; + if (!sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the chunk has a valid length. */ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, From patchwork Wed Oct 20 11:42:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572169 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A5B0C433EF for ; Wed, 20 Oct 2021 11:43:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 24750601FC for ; Wed, 20 Oct 2021 11:43:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230232AbhJTLpS (ORCPT ); Wed, 20 Oct 2021 07:45:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230240AbhJTLpP (ORCPT ); Wed, 20 Oct 2021 07:45:15 -0400 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB1B0C06161C; Wed, 20 Oct 2021 04:43:00 -0700 (PDT) Received: by mail-wm1-x330.google.com with SMTP id b15-20020a1c800f000000b0030d60716239so893313wmd.4; Wed, 20 Oct 2021 04:43:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FarTkLRebExhGKreJ7mi4+JKxhz1j+d7AdI9cqJAodg=; b=GqhaUQJ/C4NKL0Tlri+qRhCIq59MKlZsR+OlyLGEr2ny8oLAVilup93lVL+FKJKYup fGnOR6SRXmiK5duXgoGbSc6bFSxfSuroMEzH2gFujm64TX5IlwLfVZDrrZuexXSz4vow Q9XQnQ/ARLwMTeuLy1gEAzVCKhQ4EXAmYhGienOJLxwvjALXGeBPvCpolNsx5ND21xGF OnbHnsMDsYpU+kQxkYgbviQaV2Y632WePtD0mj3r2uZfyoqhzZhBC/nDqd+I2pBWrHsb y8GkM5I1sUi0hjMjf2tndw5HNuJGNpl8M0usAtexiaMja9b6Pz4QGrX3DJWrDpX1RaCt FfIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FarTkLRebExhGKreJ7mi4+JKxhz1j+d7AdI9cqJAodg=; b=CUlj7DAbCsIjXLzxJr48yAc9dqWhOihqgbtFvl35alpP32mtCfAQsL7xgXjU4ZTi8b 7gsmfrLhNQrCLk6w+qQGLIAkYCTbInd5vV2RtCpE7x3QUsmXuNksgt+5F82RkAfc+HPq fa2DWB8wXEKAjpdN08ZYjMq1jjs7v2LVJ+1n4N/niS223hp2clAoUKL/cOGgddKk/qKG U/OXm0qSDfUTHyOx6D0b4X65CS1Efgj76AopONeHtyfeEFEyQYcKE23Qx5nfoj9CMvAD zq8cRXzDQVaDd+j3OmEsTnVo3Qk4+MJyaM8VqjcZ3WI0cFFCFgLuekW/9+OkdgfVDoWZ /3eQ== X-Gm-Message-State: AOAM530JlMJz+3uWZH8LG9UmyFO4E+HuU/0OGPbZaAnZ8RySQHnLWcCL W0JcCnvbgGed7GkohayiDuLwV92GgH05UA== X-Google-Smtp-Source: ABdhPJz2PD/dP0n/+TWZaEopOn1ImArqYSmABDkGmhk+R3LR199GvR3DR3EgEl2Qx9rokvxtHBE8Zg== X-Received: by 2002:a05:600c:4e88:: with SMTP id f8mr13078050wmq.185.1634730178964; Wed, 20 Oct 2021 04:42:58 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:42:58 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 6/7] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa Date: Wed, 20 Oct 2021 07:42:46 -0400 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk in cookie_wait and cookie_echoed state. The vtag in the chunk's sctphdr should be verified, otherwise, as later in chunk length check, it may send abort with the existent asoc's vtag, which can be exploited by one to cook a malicious chunk to terminate a SCTP asoc. Note that when fails to verify the vtag from SHUTDOWN-ACK chunk, SHUTDOWN COMPLETE message will still be sent back to peer, but with the vtag from SHUTDOWN-ACK chunk, as said in 5) of rfc4960#section-8.4. While at it, also remove the unnecessary chunk length check from sctp_sf_shut_8_4_5(), as it's already done in both places where it calls sctp_sf_shut_8_4_5(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 36328ab88bdd..a3545498a038 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -3803,12 +3803,6 @@ static enum sctp_disposition sctp_sf_shut_8_4_5( SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); - /* If the chunk length is invalid, we don't want to process - * the reset of the packet. - */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) - return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); - /* We need to discard the rest of the packet to prevent * potential boomming attacks from additional bundled chunks. * This is documented in SCTP Threats ID. @@ -3836,6 +3830,9 @@ enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, { struct sctp_chunk *chunk = arg; + if (!sctp_vtag_verify(chunk, asoc)) + asoc = NULL; + /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, From patchwork Wed Oct 20 11:42:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 12572171 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3C59C433FE for ; Wed, 20 Oct 2021 11:43:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A303D610CB for ; Wed, 20 Oct 2021 11:43:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230293AbhJTLpY (ORCPT ); Wed, 20 Oct 2021 07:45:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230245AbhJTLpQ (ORCPT ); Wed, 20 Oct 2021 07:45:16 -0400 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7524C061753; Wed, 20 Oct 2021 04:43:01 -0700 (PDT) Received: by mail-wm1-x32d.google.com with SMTP id v127so18296294wme.5; Wed, 20 Oct 2021 04:43:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=HFyrP4xf/vjyif5jcCbukB7GgRz8CODvpNLw/aSEVuA=; b=aFz0ZAqi0X6Vvap21RZooZG/XBO4Qx9keXzwFgihxZOTVdOj3s0WTaqaJ202SXwoXG ufHMVYu6TZIuAQgfm73AzAMvbRrta6DgV4+IkE+2df0QghgLKb07/HTmloPtuhjp1KGo a7TeeaJDT4RfipcCW8ctQFnXfSa3DCaqI4QjsiSNk1V4g6OBB5I+qMpg/a1w21JCcJxF 9dhK0PZJL82uGYspqOy/BHg6Jx5ZoY+ovztww21znem5oimAsglrnP6nTPKXnTfpKB0q rQHmGY2BxK2MGYaOE4Z/5FFx3VDNTy4BVHQfyG/RJS6xFyAbvhfjHe3YdJ8a4LuLecEm Mz6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HFyrP4xf/vjyif5jcCbukB7GgRz8CODvpNLw/aSEVuA=; b=yNzdaxfrpIxcPRZZXY2iOS3Snz7bnE0kEjqxsopmQVviX/O9DEnULrsRDTyXm6o4EW 8axqPnuqHHID60bOjdFatlQ316pedCSrCFZ+vP1fUPGveswVTk/bIuo7mQGLzyz11khD 9QgbwJtYUGdY+eS40NB0Vn6VibHUb/Er4Bb+lEQfDQUNVarL1GAQ4yyAERUEmYD0++nh ERY3ROPgo9VatWkyY+CrzzgFbeGvFonWSOurSCHGM0UqSzhM9SRxgnnQx3GLFVpKanIl cZjvQ9bi38T23kzm/w8t6T4ArMIp3fg8VOtxqJQzde56P7uMMP4sqM2EA2IVGNqHWIyk JPrw== X-Gm-Message-State: AOAM532MT8iijtDNn3Nr9SGvVFLIV6a+iLK8BYj/nP4N/YX+17qZBsuN PdWz2aH/R+L5jSGttQ+8F3orv2Osq5ODug== X-Google-Smtp-Source: ABdhPJzm7delf5tC6EQL30lMsyIMz/z2bB6AWV32DDx0qT6cJvUAif63MrAwr3VrB1ekLMUGoaCLeg== X-Received: by 2002:a1c:5413:: with SMTP id i19mr13038238wmb.31.1634730180439; Wed, 20 Oct 2021 04:43:00 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id 186sm4988989wmc.20.2021.10.20.04.42.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 04:43:00 -0700 (PDT) From: Xin Long To: network dev , davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org Cc: Marcelo Ricardo Leitner , michael.tuexen@lurchi.franken.de Subject: [PATCH net 7/7] sctp: add vtag check in sctp_sf_ootb Date: Wed, 20 Oct 2021 07:42:47 -0400 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org sctp_sf_ootb() is called when processing DATA chunk in closed state, and many other places are also using it. The vtag in the chunk's sctphdr should be verified, otherwise, as later in chunk length check, it may send abort with the existent asoc's vtag, which can be exploited by one to cook a malicious chunk to terminate a SCTP asoc. When fails to verify the vtag from the chunk, this patch sets asoc to NULL, so that the abort will be made with the vtag from the received chunk later. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long --- net/sctp/sm_statefuns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index a3545498a038..fb3da4d8f4a3 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -3688,6 +3688,9 @@ enum sctp_disposition sctp_sf_ootb(struct net *net, SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); + if (asoc && !sctp_vtag_verify(chunk, asoc)) + asoc = NULL; + ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; do { /* Report violation if the chunk is less then minimal */