2008-01-11 21:57:09 +07:00
|
|
|
/* SCTP kernel implementation
|
2005-04-17 05:20:36 +07:00
|
|
|
* (C) Copyright IBM Corp. 2001, 2004
|
|
|
|
* Copyright (c) 1999-2000 Cisco, Inc.
|
|
|
|
* Copyright (c) 1999-2001 Motorola, Inc.
|
|
|
|
* Copyright (c) 2001-2002 Intel Corp.
|
|
|
|
*
|
2008-01-11 21:57:09 +07:00
|
|
|
* This file is part of the SCTP kernel implementation
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
|
|
|
* These functions work with the state functions in sctp_sm_statefuns.c
|
|
|
|
* to implement the state operations. These functions implement the
|
|
|
|
* steps which require modifying existing data structures.
|
|
|
|
*
|
2008-01-11 21:57:09 +07:00
|
|
|
* This SCTP implementation is free software;
|
2005-04-17 05:20:36 +07:00
|
|
|
* you can redistribute it and/or modify it under the terms of
|
|
|
|
* the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2, or (at your option)
|
|
|
|
* any later version.
|
|
|
|
*
|
2008-01-11 21:57:09 +07:00
|
|
|
* This SCTP implementation is distributed in the hope that it
|
2005-04-17 05:20:36 +07:00
|
|
|
* will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
|
|
* ************************
|
|
|
|
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
* See the GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2013-12-06 21:28:48 +07:00
|
|
|
* along with GNU CC; see the file COPYING. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
|
|
|
* Please send any bug reports or fixes you make to the
|
|
|
|
* email address(es):
|
2013-07-23 19:51:47 +07:00
|
|
|
* lksctp developers <linux-sctp@vger.kernel.org>
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
|
|
|
* Written or modified by:
|
|
|
|
* La Monte H.P. Yarroll <piggy@acm.org>
|
|
|
|
* Karl Knutson <karl@athena.chicago.il.us>
|
|
|
|
* C. Robin <chris@hundredacre.ac.uk>
|
|
|
|
* Jon Grimm <jgrimm@us.ibm.com>
|
|
|
|
* Xingang Guo <xingang.guo@intel.com>
|
|
|
|
* Dajiang Zhang <dajiang.zhang@nokia.com>
|
|
|
|
* Sridhar Samudrala <sri@us.ibm.com>
|
|
|
|
* Daisy Chang <daisyc@us.ibm.com>
|
|
|
|
* Ardelle Fan <ardelle.fan@intel.com>
|
|
|
|
* Kevin Gao <kevin.gao@intel.com>
|
|
|
|
*/
|
|
|
|
|
2010-08-24 20:21:08 +07:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2016-01-24 20:20:12 +07:00
|
|
|
#include <crypto/hash.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/ip.h>
|
|
|
|
#include <linux/ipv6.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <linux/inet.h>
|
2007-10-23 17:46:32 +07:00
|
|
|
#include <linux/scatterlist.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 15:04:11 +07:00
|
|
|
#include <linux/slab.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
#include <net/sock.h>
|
|
|
|
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/random.h> /* for get_random_bytes */
|
|
|
|
#include <net/sctp/sctp.h>
|
|
|
|
#include <net/sctp/sm.h>
|
|
|
|
|
2013-08-10 09:05:36 +07:00
|
|
|
static struct sctp_chunk *sctp_make_control(const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
__u8 type, __u8 flags, int paylen,
|
|
|
|
gfp_t gfp);
|
2013-08-10 09:05:36 +07:00
|
|
|
static struct sctp_chunk *sctp_make_data(const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
__u8 flags, int paylen, gfp_t gfp);
|
2013-08-10 09:05:36 +07:00
|
|
|
static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
__u8 type, __u8 flags, int paylen,
|
|
|
|
gfp_t gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *init_chunk,
|
|
|
|
int *cookie_len,
|
|
|
|
const __u8 *raw_addrs, int addrs_len);
|
|
|
|
static int sctp_process_param(struct sctp_association *asoc,
|
|
|
|
union sctp_params param,
|
|
|
|
const union sctp_addr *peer_addr,
|
2005-10-07 13:46:04 +07:00
|
|
|
gfp_t gfp);
|
2007-11-29 20:50:35 +07:00
|
|
|
static void *sctp_addto_param(struct sctp_chunk *chunk, int len,
|
|
|
|
const void *data);
|
2014-01-10 13:31:11 +07:00
|
|
|
static void *sctp_addto_chunk_fixed(struct sctp_chunk *, int len,
|
|
|
|
const void *data);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2013-08-10 09:05:36 +07:00
|
|
|
/* Control chunk destructor */
|
|
|
|
static void sctp_control_release_owner(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
/*TODO: do memory release */
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sctp_control_set_owner_w(struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_association *asoc = chunk->asoc;
|
|
|
|
struct sk_buff *skb = chunk->skb;
|
|
|
|
|
|
|
|
/* TODO: properly account for control chunks.
|
|
|
|
* To do it right we'll need:
|
|
|
|
* 1) endpoint if association isn't known.
|
|
|
|
* 2) proper memory accounting.
|
|
|
|
*
|
|
|
|
* For now don't do anything for now.
|
|
|
|
*/
|
|
|
|
skb->sk = asoc ? asoc->base.sk : NULL;
|
|
|
|
skb->destructor = sctp_control_release_owner;
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* What was the inbound interface for this chunk? */
|
|
|
|
int sctp_chunk_iif(const struct sctp_chunk *chunk)
|
|
|
|
{
|
2016-07-14 01:08:58 +07:00
|
|
|
struct sk_buff *skb = chunk->skb;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2016-07-14 01:08:58 +07:00
|
|
|
return SCTP_INPUT_CB(skb)->af->skb_iif(skb);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* RFC 2960 3.3.2 Initiation (INIT) (1)
|
|
|
|
*
|
|
|
|
* Note 2: The ECN capable field is reserved for future use of
|
|
|
|
* Explicit Congestion Notification.
|
|
|
|
*/
|
|
|
|
static const struct sctp_paramhdr ecap_param = {
|
|
|
|
SCTP_PARAM_ECN_CAPABLE,
|
2009-02-01 15:45:17 +07:00
|
|
|
cpu_to_be16(sizeof(struct sctp_paramhdr)),
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
static const struct sctp_paramhdr prsctp_param = {
|
|
|
|
SCTP_PARAM_FWD_TSN_SUPPORT,
|
2009-02-01 15:45:17 +07:00
|
|
|
cpu_to_be16(sizeof(struct sctp_paramhdr)),
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
/* A helper to initialize an op error inside a
|
2005-04-17 05:20:36 +07:00
|
|
|
* provided chunk, as most cause codes will be embedded inside an
|
|
|
|
* abort chunk.
|
|
|
|
*/
|
2006-11-21 07:59:45 +07:00
|
|
|
void sctp_init_cause(struct sctp_chunk *chunk, __be16 cause_code,
|
2007-08-21 14:50:01 +07:00
|
|
|
size_t paylen)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
sctp_errhdr_t err;
|
|
|
|
__u16 len;
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Cause code constants are now defined in network order. */
|
2005-04-17 05:20:36 +07:00
|
|
|
err.cause = cause_code;
|
|
|
|
len = sizeof(sctp_errhdr_t) + paylen;
|
|
|
|
err.length = htons(len);
|
2007-01-10 05:35:51 +07:00
|
|
|
chunk->subh.err_hdr = sctp_addto_chunk(chunk, sizeof(sctp_errhdr_t), &err);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
/* A helper to initialize an op error inside a
|
|
|
|
* provided chunk, as most cause codes will be embedded inside an
|
|
|
|
* abort chunk. Differs from sctp_init_cause in that it won't oops
|
|
|
|
* if there isn't enough space in the op error chunk
|
|
|
|
*/
|
2012-07-13 14:16:37 +07:00
|
|
|
static int sctp_init_cause_fixed(struct sctp_chunk *chunk, __be16 cause_code,
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
size_t paylen)
|
|
|
|
{
|
|
|
|
sctp_errhdr_t err;
|
|
|
|
__u16 len;
|
|
|
|
|
|
|
|
/* Cause code constants are now defined in network order. */
|
|
|
|
err.cause = cause_code;
|
|
|
|
len = sizeof(sctp_errhdr_t) + paylen;
|
|
|
|
err.length = htons(len);
|
|
|
|
|
2010-05-18 12:51:58 +07:00
|
|
|
if (skb_tailroom(chunk->skb) < len)
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
return -ENOSPC;
|
|
|
|
chunk->subh.err_hdr = sctp_addto_chunk_fixed(chunk,
|
|
|
|
sizeof(sctp_errhdr_t),
|
|
|
|
&err);
|
|
|
|
return 0;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
/* 3.3.2 Initiation (INIT) (1)
|
|
|
|
*
|
|
|
|
* This chunk is used to initiate a SCTP association between two
|
|
|
|
* endpoints. The format of the INIT chunk is shown below:
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 1 | Chunk Flags | Chunk Length |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Initiate Tag |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Advertised Receiver Window Credit (a_rwnd) |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Number of Outbound Streams | Number of Inbound Streams |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Initial TSN |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* \ \
|
|
|
|
* / Optional/Variable-Length Parameters /
|
|
|
|
* \ \
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* The INIT chunk contains the following parameters. Unless otherwise
|
|
|
|
* noted, each parameter MUST only be included once in the INIT chunk.
|
|
|
|
*
|
|
|
|
* Fixed Parameters Status
|
|
|
|
* ----------------------------------------------
|
|
|
|
* Initiate Tag Mandatory
|
|
|
|
* Advertised Receiver Window Credit Mandatory
|
|
|
|
* Number of Outbound Streams Mandatory
|
|
|
|
* Number of Inbound Streams Mandatory
|
|
|
|
* Initial TSN Mandatory
|
|
|
|
*
|
|
|
|
* Variable Parameters Status Type Value
|
|
|
|
* -------------------------------------------------------------
|
|
|
|
* IPv4 Address (Note 1) Optional 5
|
|
|
|
* IPv6 Address (Note 1) Optional 6
|
|
|
|
* Cookie Preservative Optional 9
|
|
|
|
* Reserved for ECN Capable (Note 2) Optional 32768 (0x8000)
|
|
|
|
* Host Name Address (Note 3) Optional 11
|
|
|
|
* Supported Address Types (Note 4) Optional 12
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_init(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_bind_addr *bp,
|
2005-10-07 13:46:04 +07:00
|
|
|
gfp_t gfp, int vparam_len)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-08-07 14:29:57 +07:00
|
|
|
struct net *net = sock_net(asoc->base.sk);
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
struct sctp_endpoint *ep = asoc->ep;
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_inithdr_t init;
|
|
|
|
union sctp_params addrs;
|
|
|
|
size_t chunksize;
|
|
|
|
struct sctp_chunk *retval = NULL;
|
|
|
|
int num_types, addrs_len = 0;
|
|
|
|
struct sctp_sock *sp;
|
|
|
|
sctp_supported_addrs_param_t sat;
|
2006-11-21 08:25:49 +07:00
|
|
|
__be16 types[2];
|
2006-12-21 07:07:04 +07:00
|
|
|
sctp_adaptation_ind_param_t aiparam;
|
2007-09-17 05:53:56 +07:00
|
|
|
sctp_supported_ext_param_t ext_param;
|
|
|
|
int num_ext = 0;
|
|
|
|
__u8 extensions[3];
|
2007-09-17 09:32:11 +07:00
|
|
|
sctp_paramhdr_t *auth_chunks = NULL,
|
|
|
|
*auth_hmacs = NULL;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 3.3.2 Initiation (INIT) (1)
|
|
|
|
*
|
|
|
|
* Note 1: The INIT chunks can contain multiple addresses that
|
|
|
|
* can be IPv4 and/or IPv6 in any combination.
|
|
|
|
*/
|
|
|
|
retval = NULL;
|
|
|
|
|
|
|
|
/* Convert the provided bind address list to raw format. */
|
|
|
|
addrs = sctp_bind_addrs_to_raw(bp, &addrs_len, gfp);
|
|
|
|
|
|
|
|
init.init_tag = htonl(asoc->c.my_vtag);
|
|
|
|
init.a_rwnd = htonl(asoc->rwnd);
|
|
|
|
init.num_outbound_streams = htons(asoc->c.sinit_num_ostreams);
|
|
|
|
init.num_inbound_streams = htons(asoc->c.sinit_max_instreams);
|
|
|
|
init.initial_tsn = htonl(asoc->c.initial_tsn);
|
|
|
|
|
|
|
|
/* How many address types are needed? */
|
|
|
|
sp = sctp_sk(asoc->base.sk);
|
|
|
|
num_types = sp->pf->supported_addrs(sp, types);
|
|
|
|
|
2010-04-28 15:47:21 +07:00
|
|
|
chunksize = sizeof(init) + addrs_len;
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(SCTP_SAT_LEN(num_types));
|
2005-04-17 05:20:36 +07:00
|
|
|
chunksize += sizeof(ecap_param);
|
2007-11-29 20:50:35 +07:00
|
|
|
|
2016-07-09 18:47:40 +07:00
|
|
|
if (asoc->prsctp_enable)
|
2008-01-07 15:28:16 +07:00
|
|
|
chunksize += sizeof(prsctp_param);
|
|
|
|
|
2007-09-17 05:53:56 +07:00
|
|
|
/* ADDIP: Section 4.2.7:
|
|
|
|
* An implementation supporting this extension [ADDIP] MUST list
|
|
|
|
* the ASCONF,the ASCONF-ACK, and the AUTH chunks in its INIT and
|
|
|
|
* INIT-ACK parameters.
|
|
|
|
*/
|
2012-08-07 14:29:57 +07:00
|
|
|
if (net->sctp.addip_enable) {
|
2007-09-17 05:53:56 +07:00
|
|
|
extensions[num_ext] = SCTP_CID_ASCONF;
|
|
|
|
extensions[num_ext+1] = SCTP_CID_ASCONF_ACK;
|
|
|
|
num_ext += 2;
|
|
|
|
}
|
|
|
|
|
2009-03-12 16:49:20 +07:00
|
|
|
if (sp->adaptation_ind)
|
|
|
|
chunksize += sizeof(aiparam);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
chunksize += vparam_len;
|
|
|
|
|
2007-09-17 09:32:11 +07:00
|
|
|
/* Account for AUTH related parameters */
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (ep->auth_enable) {
|
2007-09-17 09:32:11 +07:00
|
|
|
/* Add random parameter length*/
|
|
|
|
chunksize += sizeof(asoc->c.auth_random);
|
|
|
|
|
|
|
|
/* Add HMACS parameter length if any were defined */
|
|
|
|
auth_hmacs = (sctp_paramhdr_t *)asoc->c.auth_hmacs;
|
|
|
|
if (auth_hmacs->length)
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(ntohs(auth_hmacs->length));
|
2007-09-17 09:32:11 +07:00
|
|
|
else
|
|
|
|
auth_hmacs = NULL;
|
|
|
|
|
|
|
|
/* Add CHUNKS parameter length */
|
|
|
|
auth_chunks = (sctp_paramhdr_t *)asoc->c.auth_chunks;
|
|
|
|
if (auth_chunks->length)
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(ntohs(auth_chunks->length));
|
2007-09-17 09:32:11 +07:00
|
|
|
else
|
2007-11-29 20:44:34 +07:00
|
|
|
auth_chunks = NULL;
|
2007-09-17 09:32:11 +07:00
|
|
|
|
|
|
|
extensions[num_ext] = SCTP_CID_AUTH;
|
|
|
|
num_ext += 1;
|
|
|
|
}
|
|
|
|
|
2007-09-17 05:53:56 +07:00
|
|
|
/* If we have any extensions to report, account for that */
|
|
|
|
if (num_ext)
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(sizeof(sctp_supported_ext_param_t) +
|
|
|
|
num_ext);
|
2007-09-17 05:53:56 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* RFC 2960 3.3.2 Initiation (INIT) (1)
|
|
|
|
*
|
|
|
|
* Note 3: An INIT chunk MUST NOT contain more than one Host
|
|
|
|
* Name address parameter. Moreover, the sender of the INIT
|
|
|
|
* MUST NOT combine any other address types with the Host Name
|
|
|
|
* address in the INIT. The receiver of INIT MUST ignore any
|
|
|
|
* other address types if the Host Name address parameter is
|
|
|
|
* present in the received INIT chunk.
|
|
|
|
*
|
|
|
|
* PLEASE DO NOT FIXME [This version does not support Host Name.]
|
|
|
|
*/
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_INIT, 0, chunksize, gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
retval->subh.init_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(init), &init);
|
|
|
|
retval->param_hdr.v =
|
|
|
|
sctp_addto_chunk(retval, addrs_len, addrs.v);
|
|
|
|
|
|
|
|
/* RFC 2960 3.3.2 Initiation (INIT) (1)
|
|
|
|
*
|
|
|
|
* Note 4: This parameter, when present, specifies all the
|
|
|
|
* address types the sending endpoint can support. The absence
|
|
|
|
* of this parameter indicates that the sending endpoint can
|
|
|
|
* support any address type.
|
|
|
|
*/
|
|
|
|
sat.param_hdr.type = SCTP_PARAM_SUPPORTED_ADDRESS_TYPES;
|
|
|
|
sat.param_hdr.length = htons(SCTP_SAT_LEN(num_types));
|
|
|
|
sctp_addto_chunk(retval, sizeof(sat), &sat);
|
|
|
|
sctp_addto_chunk(retval, num_types * sizeof(__u16), &types);
|
|
|
|
|
|
|
|
sctp_addto_chunk(retval, sizeof(ecap_param), &ecap_param);
|
2007-09-17 05:53:56 +07:00
|
|
|
|
2007-12-21 05:03:52 +07:00
|
|
|
/* Add the supported extensions parameter. Be nice and add this
|
2007-09-17 05:53:56 +07:00
|
|
|
* fist before addiding the parameters for the extensions themselves
|
|
|
|
*/
|
|
|
|
if (num_ext) {
|
|
|
|
ext_param.param_hdr.type = SCTP_PARAM_SUPPORTED_EXT;
|
|
|
|
ext_param.param_hdr.length =
|
|
|
|
htons(sizeof(sctp_supported_ext_param_t) + num_ext);
|
|
|
|
sctp_addto_chunk(retval, sizeof(sctp_supported_ext_param_t),
|
|
|
|
&ext_param);
|
2007-11-29 20:50:35 +07:00
|
|
|
sctp_addto_param(retval, num_ext, extensions);
|
2007-09-17 05:53:56 +07:00
|
|
|
}
|
|
|
|
|
2016-07-09 18:47:40 +07:00
|
|
|
if (asoc->prsctp_enable)
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_addto_chunk(retval, sizeof(prsctp_param), &prsctp_param);
|
2007-09-17 05:53:56 +07:00
|
|
|
|
2009-03-12 16:49:20 +07:00
|
|
|
if (sp->adaptation_ind) {
|
|
|
|
aiparam.param_hdr.type = SCTP_PARAM_ADAPTATION_LAYER_IND;
|
|
|
|
aiparam.param_hdr.length = htons(sizeof(aiparam));
|
|
|
|
aiparam.adaptation_ind = htonl(sp->adaptation_ind);
|
|
|
|
sctp_addto_chunk(retval, sizeof(aiparam), &aiparam);
|
|
|
|
}
|
2007-09-17 05:53:56 +07:00
|
|
|
|
2007-09-17 09:32:11 +07:00
|
|
|
/* Add SCTP-AUTH chunks to the parameter list */
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (ep->auth_enable) {
|
2007-09-17 09:32:11 +07:00
|
|
|
sctp_addto_chunk(retval, sizeof(asoc->c.auth_random),
|
|
|
|
asoc->c.auth_random);
|
|
|
|
if (auth_hmacs)
|
|
|
|
sctp_addto_chunk(retval, ntohs(auth_hmacs->length),
|
|
|
|
auth_hmacs);
|
|
|
|
if (auth_chunks)
|
|
|
|
sctp_addto_chunk(retval, ntohs(auth_chunks->length),
|
|
|
|
auth_chunks);
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
nodata:
|
2005-11-09 00:41:34 +07:00
|
|
|
kfree(addrs.v);
|
2005-04-17 05:20:36 +07:00
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct sctp_chunk *sctp_make_init_ack(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
2005-10-07 13:46:04 +07:00
|
|
|
gfp_t gfp, int unkparam_len)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
sctp_inithdr_t initack;
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
union sctp_params addrs;
|
2009-03-12 16:49:20 +07:00
|
|
|
struct sctp_sock *sp;
|
2005-04-17 05:20:36 +07:00
|
|
|
int addrs_len;
|
|
|
|
sctp_cookie_param_t *cookie;
|
|
|
|
int cookie_len;
|
|
|
|
size_t chunksize;
|
2006-12-21 07:07:04 +07:00
|
|
|
sctp_adaptation_ind_param_t aiparam;
|
2007-09-17 05:53:56 +07:00
|
|
|
sctp_supported_ext_param_t ext_param;
|
|
|
|
int num_ext = 0;
|
|
|
|
__u8 extensions[3];
|
2007-09-17 09:32:11 +07:00
|
|
|
sctp_paramhdr_t *auth_chunks = NULL,
|
|
|
|
*auth_hmacs = NULL,
|
|
|
|
*auth_random = NULL;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
retval = NULL;
|
|
|
|
|
|
|
|
/* Note: there may be no addresses to embed. */
|
|
|
|
addrs = sctp_bind_addrs_to_raw(&asoc->base.bind_addr, &addrs_len, gfp);
|
|
|
|
|
|
|
|
initack.init_tag = htonl(asoc->c.my_vtag);
|
|
|
|
initack.a_rwnd = htonl(asoc->rwnd);
|
|
|
|
initack.num_outbound_streams = htons(asoc->c.sinit_num_ostreams);
|
|
|
|
initack.num_inbound_streams = htons(asoc->c.sinit_max_instreams);
|
|
|
|
initack.initial_tsn = htonl(asoc->c.initial_tsn);
|
|
|
|
|
|
|
|
/* FIXME: We really ought to build the cookie right
|
|
|
|
* into the packet instead of allocating more fresh memory.
|
|
|
|
*/
|
|
|
|
cookie = sctp_pack_cookie(asoc->ep, asoc, chunk, &cookie_len,
|
|
|
|
addrs.v, addrs_len);
|
|
|
|
if (!cookie)
|
|
|
|
goto nomem_cookie;
|
|
|
|
|
|
|
|
/* Calculate the total size of allocation, include the reserved
|
|
|
|
* space for reporting unknown parameters if it is specified.
|
|
|
|
*/
|
2009-03-12 16:49:20 +07:00
|
|
|
sp = sctp_sk(asoc->base.sk);
|
2005-04-17 05:20:36 +07:00
|
|
|
chunksize = sizeof(initack) + addrs_len + cookie_len + unkparam_len;
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Tell peer that we'll do ECN only if peer advertised such cap. */
|
2005-04-17 05:20:36 +07:00
|
|
|
if (asoc->peer.ecn_capable)
|
|
|
|
chunksize += sizeof(ecap_param);
|
|
|
|
|
2009-03-12 16:49:18 +07:00
|
|
|
if (asoc->peer.prsctp_capable)
|
2008-01-07 15:28:16 +07:00
|
|
|
chunksize += sizeof(prsctp_param);
|
|
|
|
|
2009-03-12 16:49:18 +07:00
|
|
|
if (asoc->peer.asconf_capable) {
|
2007-09-17 05:53:56 +07:00
|
|
|
extensions[num_ext] = SCTP_CID_ASCONF;
|
|
|
|
extensions[num_ext+1] = SCTP_CID_ASCONF_ACK;
|
|
|
|
num_ext += 2;
|
|
|
|
}
|
|
|
|
|
2009-03-12 16:49:20 +07:00
|
|
|
if (sp->adaptation_ind)
|
|
|
|
chunksize += sizeof(aiparam);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-09-17 09:32:11 +07:00
|
|
|
if (asoc->peer.auth_capable) {
|
|
|
|
auth_random = (sctp_paramhdr_t *)asoc->c.auth_random;
|
|
|
|
chunksize += ntohs(auth_random->length);
|
|
|
|
|
|
|
|
auth_hmacs = (sctp_paramhdr_t *)asoc->c.auth_hmacs;
|
|
|
|
if (auth_hmacs->length)
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(ntohs(auth_hmacs->length));
|
2007-09-17 09:32:11 +07:00
|
|
|
else
|
|
|
|
auth_hmacs = NULL;
|
|
|
|
|
|
|
|
auth_chunks = (sctp_paramhdr_t *)asoc->c.auth_chunks;
|
|
|
|
if (auth_chunks->length)
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(ntohs(auth_chunks->length));
|
2007-09-17 09:32:11 +07:00
|
|
|
else
|
|
|
|
auth_chunks = NULL;
|
|
|
|
|
|
|
|
extensions[num_ext] = SCTP_CID_AUTH;
|
|
|
|
num_ext += 1;
|
|
|
|
}
|
|
|
|
|
2007-11-29 20:50:35 +07:00
|
|
|
if (num_ext)
|
2016-09-21 18:45:55 +07:00
|
|
|
chunksize += SCTP_PAD4(sizeof(sctp_supported_ext_param_t) +
|
|
|
|
num_ext);
|
2007-11-29 20:50:35 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Now allocate and fill out the chunk. */
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_INIT_ACK, 0, chunksize, gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nomem_chunk;
|
|
|
|
|
2010-05-01 09:41:09 +07:00
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [INIT ACK back to where the INIT came from.]
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
retval->transport = chunk->transport;
|
2010-05-01 09:41:09 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
retval->subh.init_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(initack), &initack);
|
|
|
|
retval->param_hdr.v = sctp_addto_chunk(retval, addrs_len, addrs.v);
|
|
|
|
sctp_addto_chunk(retval, cookie_len, cookie);
|
|
|
|
if (asoc->peer.ecn_capable)
|
|
|
|
sctp_addto_chunk(retval, sizeof(ecap_param), &ecap_param);
|
2007-09-17 05:53:56 +07:00
|
|
|
if (num_ext) {
|
|
|
|
ext_param.param_hdr.type = SCTP_PARAM_SUPPORTED_EXT;
|
|
|
|
ext_param.param_hdr.length =
|
|
|
|
htons(sizeof(sctp_supported_ext_param_t) + num_ext);
|
|
|
|
sctp_addto_chunk(retval, sizeof(sctp_supported_ext_param_t),
|
|
|
|
&ext_param);
|
2007-11-29 20:50:35 +07:00
|
|
|
sctp_addto_param(retval, num_ext, extensions);
|
2007-09-17 05:53:56 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
if (asoc->peer.prsctp_capable)
|
|
|
|
sctp_addto_chunk(retval, sizeof(prsctp_param), &prsctp_param);
|
|
|
|
|
2009-03-12 16:49:20 +07:00
|
|
|
if (sp->adaptation_ind) {
|
|
|
|
aiparam.param_hdr.type = SCTP_PARAM_ADAPTATION_LAYER_IND;
|
|
|
|
aiparam.param_hdr.length = htons(sizeof(aiparam));
|
|
|
|
aiparam.adaptation_ind = htonl(sp->adaptation_ind);
|
|
|
|
sctp_addto_chunk(retval, sizeof(aiparam), &aiparam);
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-09-17 09:32:11 +07:00
|
|
|
if (asoc->peer.auth_capable) {
|
|
|
|
sctp_addto_chunk(retval, ntohs(auth_random->length),
|
|
|
|
auth_random);
|
|
|
|
if (auth_hmacs)
|
|
|
|
sctp_addto_chunk(retval, ntohs(auth_hmacs->length),
|
|
|
|
auth_hmacs);
|
|
|
|
if (auth_chunks)
|
|
|
|
sctp_addto_chunk(retval, ntohs(auth_chunks->length),
|
|
|
|
auth_chunks);
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* We need to remove the const qualifier at this point. */
|
|
|
|
retval->asoc = (struct sctp_association *) asoc;
|
|
|
|
|
|
|
|
nomem_chunk:
|
|
|
|
kfree(cookie);
|
|
|
|
nomem_cookie:
|
2005-11-09 00:41:34 +07:00
|
|
|
kfree(addrs.v);
|
2005-04-17 05:20:36 +07:00
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* 3.3.11 Cookie Echo (COOKIE ECHO) (10):
|
|
|
|
*
|
|
|
|
* This chunk is used only during the initialization of an association.
|
|
|
|
* It is sent by the initiator of an association to its peer to complete
|
|
|
|
* the initialization process. This chunk MUST precede any DATA chunk
|
|
|
|
* sent within the association, but MAY be bundled with one or more DATA
|
|
|
|
* chunks in the same packet.
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 10 |Chunk Flags | Length |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* / Cookie /
|
|
|
|
* \ \
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* Chunk Flags: 8 bit
|
|
|
|
*
|
|
|
|
* Set to zero on transmit and ignored on receipt.
|
|
|
|
*
|
|
|
|
* Length: 16 bits (unsigned integer)
|
|
|
|
*
|
|
|
|
* Set to the size of the chunk in bytes, including the 4 bytes of
|
|
|
|
* the chunk header and the size of the Cookie.
|
|
|
|
*
|
|
|
|
* Cookie: variable size
|
|
|
|
*
|
|
|
|
* This field must contain the exact cookie received in the
|
|
|
|
* State Cookie parameter from the previous INIT ACK.
|
|
|
|
*
|
|
|
|
* An implementation SHOULD make the cookie as small as possible
|
|
|
|
* to insure interoperability.
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_cookie_echo(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
void *cookie;
|
|
|
|
int cookie_len;
|
|
|
|
|
|
|
|
cookie = asoc->peer.cookie;
|
|
|
|
cookie_len = asoc->peer.cookie_len;
|
|
|
|
|
|
|
|
/* Build a cookie echo chunk. */
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_COOKIE_ECHO, 0,
|
|
|
|
cookie_len, GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
retval->subh.cookie_hdr =
|
|
|
|
sctp_addto_chunk(retval, cookie_len, cookie);
|
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [COOKIE ECHO back to where the INIT ACK came from.]
|
|
|
|
*/
|
|
|
|
if (chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* 3.3.12 Cookie Acknowledgement (COOKIE ACK) (11):
|
|
|
|
*
|
|
|
|
* This chunk is used only during the initialization of an
|
|
|
|
* association. It is used to acknowledge the receipt of a COOKIE
|
|
|
|
* ECHO chunk. This chunk MUST precede any DATA or SACK chunk sent
|
|
|
|
* within the association, but MAY be bundled with one or more DATA
|
|
|
|
* chunks or SACK chunk in the same SCTP packet.
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 11 |Chunk Flags | Length = 4 |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* Chunk Flags: 8 bits
|
|
|
|
*
|
|
|
|
* Set to zero on transmit and ignored on receipt.
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_cookie_ack(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_COOKIE_ACK, 0, 0, GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [COOKIE ACK back to where the COOKIE ECHO came from.]
|
|
|
|
*/
|
|
|
|
if (retval && chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Appendix A: Explicit Congestion Notification:
|
|
|
|
* CWR:
|
|
|
|
*
|
|
|
|
* RFC 2481 details a specific bit for a sender to send in the header of
|
|
|
|
* its next outbound TCP segment to indicate to its peer that it has
|
|
|
|
* reduced its congestion window. This is termed the CWR bit. For
|
|
|
|
* SCTP the same indication is made by including the CWR chunk.
|
|
|
|
* This chunk contains one data element, i.e. the TSN number that
|
|
|
|
* was sent in the ECNE chunk. This element represents the lowest
|
|
|
|
* TSN number in the datagram that was originally marked with the
|
|
|
|
* CE bit.
|
|
|
|
*
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Chunk Type=13 | Flags=00000000| Chunk Length = 8 |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Lowest TSN Number |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* Note: The CWR is considered a Control chunk.
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_cwr(const struct sctp_association *asoc,
|
|
|
|
const __u32 lowest_tsn,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
sctp_cwrhdr_t cwr;
|
|
|
|
|
|
|
|
cwr.lowest_tsn = htonl(lowest_tsn);
|
2013-08-10 09:05:36 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_ECN_CWR, 0,
|
2016-03-11 04:33:07 +07:00
|
|
|
sizeof(sctp_cwrhdr_t), GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
retval->subh.ecn_cwr_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(cwr), &cwr);
|
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [Report a reduced congestion window back to where the ECNE
|
|
|
|
* came from.]
|
|
|
|
*/
|
|
|
|
if (chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Make an ECNE chunk. This is a congestion experienced report. */
|
|
|
|
struct sctp_chunk *sctp_make_ecne(const struct sctp_association *asoc,
|
|
|
|
const __u32 lowest_tsn)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
sctp_ecnehdr_t ecne;
|
|
|
|
|
|
|
|
ecne.lowest_tsn = htonl(lowest_tsn);
|
2013-08-10 09:05:36 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_ECN_ECNE, 0,
|
2016-03-11 04:33:07 +07:00
|
|
|
sizeof(sctp_ecnehdr_t), GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
retval->subh.ecne_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(ecne), &ecne);
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Make a DATA chunk for the given association from the provided
|
|
|
|
* parameters. However, do not populate the data payload.
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_datafrag_empty(struct sctp_association *asoc,
|
|
|
|
const struct sctp_sndrcvinfo *sinfo,
|
2016-03-11 04:33:07 +07:00
|
|
|
int data_len, __u8 flags, __u16 ssn,
|
|
|
|
gfp_t gfp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
struct sctp_datahdr dp;
|
|
|
|
int chunk_len;
|
|
|
|
|
|
|
|
/* We assign the TSN as LATE as possible, not here when
|
|
|
|
* creating the chunk.
|
|
|
|
*/
|
|
|
|
dp.tsn = 0;
|
|
|
|
dp.stream = htons(sinfo->sinfo_stream);
|
|
|
|
dp.ppid = sinfo->sinfo_ppid;
|
|
|
|
|
|
|
|
/* Set the flags for an unordered send. */
|
2005-10-29 05:10:00 +07:00
|
|
|
if (sinfo->sinfo_flags & SCTP_UNORDERED) {
|
2005-04-17 05:20:36 +07:00
|
|
|
flags |= SCTP_DATA_UNORDERED;
|
|
|
|
dp.ssn = 0;
|
|
|
|
} else
|
|
|
|
dp.ssn = htons(ssn);
|
|
|
|
|
|
|
|
chunk_len = sizeof(dp) + data_len;
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_data(asoc, flags, chunk_len, gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
retval->subh.data_hdr = sctp_addto_chunk(retval, sizeof(dp), &dp);
|
|
|
|
memcpy(&retval->sinfo, sinfo, sizeof(struct sctp_sndrcvinfo));
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Create a selective ackowledgement (SACK) for the given
|
|
|
|
* association. This reports on which TSN's we've seen to date,
|
|
|
|
* including duplicates and gaps.
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_sack(const struct sctp_association *asoc)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
struct sctp_sackhdr sack;
|
|
|
|
int len;
|
|
|
|
__u32 ctsn;
|
|
|
|
__u16 num_gabs, num_dup_tsns;
|
2012-06-30 10:04:26 +07:00
|
|
|
struct sctp_association *aptr = (struct sctp_association *)asoc;
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
|
2008-10-09 04:19:01 +07:00
|
|
|
struct sctp_gap_ack_block gabs[SCTP_MAX_GABS];
|
2012-06-30 10:04:26 +07:00
|
|
|
struct sctp_transport *trans;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-10-09 04:19:01 +07:00
|
|
|
memset(gabs, 0, sizeof(gabs));
|
2005-04-17 05:20:36 +07:00
|
|
|
ctsn = sctp_tsnmap_get_ctsn(map);
|
net: sctp: rework debugging framework to use pr_debug and friends
We should get rid of all own SCTP debug printk macros and use the ones
that the kernel offers anyway instead. This makes the code more readable
and conform to the kernel code, and offers all the features of dynamic
debbuging that pr_debug() et al has, such as only turning on/off portions
of debug messages at runtime through debugfs. The runtime cost of having
CONFIG_DYNAMIC_DEBUG enabled, but none of the debug statements printing,
is negligible [1]. If kernel debugging is completly turned off, then these
statements will also compile into "empty" functions.
While we're at it, we also need to change the Kconfig option as it /now/
only refers to the ifdef'ed code portions in outqueue.c that enable further
debugging/tracing of SCTP transaction fields. Also, since SCTP_ASSERT code
was enabled with this Kconfig option and has now been removed, we
transform those code parts into WARNs resp. where appropriate BUG_ONs so
that those bugs can be more easily detected as probably not many people
have SCTP debugging permanently turned on.
To turn on all SCTP debugging, the following steps are needed:
# mount -t debugfs none /sys/kernel/debug
# echo -n 'module sctp +p' > /sys/kernel/debug/dynamic_debug/control
This can be done more fine-grained on a per file, per line basis and others
as described in [2].
[1] https://www.kernel.org/doc/ols/2009/ols2009-pages-39-46.pdf
[2] Documentation/dynamic-debug-howto.txt
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-29 00:49:40 +07:00
|
|
|
|
|
|
|
pr_debug("%s: sackCTSNAck sent:0x%x\n", __func__, ctsn);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* How much room is needed in the chunk? */
|
2008-10-09 04:19:01 +07:00
|
|
|
num_gabs = sctp_tsnmap_num_gabs(map, gabs);
|
2005-04-17 05:20:36 +07:00
|
|
|
num_dup_tsns = sctp_tsnmap_num_dups(map);
|
|
|
|
|
|
|
|
/* Initialize the SACK header. */
|
|
|
|
sack.cum_tsn_ack = htonl(ctsn);
|
|
|
|
sack.a_rwnd = htonl(asoc->a_rwnd);
|
|
|
|
sack.num_gap_ack_blocks = htons(num_gabs);
|
|
|
|
sack.num_dup_tsns = htons(num_dup_tsns);
|
|
|
|
|
|
|
|
len = sizeof(sack)
|
|
|
|
+ sizeof(struct sctp_gap_ack_block) * num_gabs
|
|
|
|
+ sizeof(__u32) * num_dup_tsns;
|
|
|
|
|
|
|
|
/* Create the chunk. */
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_SACK, 0, len, GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, etc.) to the same destination transport
|
|
|
|
* address from which it received the DATA or control chunk to
|
|
|
|
* which it is replying. This rule should also be followed if
|
|
|
|
* the endpoint is bundling DATA chunks together with the
|
|
|
|
* reply chunk.
|
|
|
|
*
|
|
|
|
* However, when acknowledging multiple DATA chunks received
|
|
|
|
* in packets from different source addresses in a single
|
|
|
|
* SACK, the SACK chunk may be transmitted to one of the
|
|
|
|
* destination transport addresses from which the DATA or
|
|
|
|
* control chunks being acknowledged were received.
|
|
|
|
*
|
|
|
|
* [BUG: We do not implement the following paragraph.
|
|
|
|
* Perhaps we should remember the last transport we used for a
|
|
|
|
* SACK and avoid that (if possible) if we have seen any
|
|
|
|
* duplicates. --piggy]
|
|
|
|
*
|
|
|
|
* When a receiver of a duplicate DATA chunk sends a SACK to a
|
|
|
|
* multi- homed endpoint it MAY be beneficial to vary the
|
|
|
|
* destination address and not use the source address of the
|
|
|
|
* DATA chunk. The reason being that receiving a duplicate
|
|
|
|
* from a multi-homed endpoint might indicate that the return
|
|
|
|
* path (as specified in the source address of the DATA chunk)
|
|
|
|
* for the SACK is broken.
|
|
|
|
*
|
|
|
|
* [Send to the address from which we last received a DATA chunk.]
|
|
|
|
*/
|
|
|
|
retval->transport = asoc->peer.last_data_from;
|
|
|
|
|
|
|
|
retval->subh.sack_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(sack), &sack);
|
|
|
|
|
|
|
|
/* Add the gap ack block information. */
|
|
|
|
if (num_gabs)
|
|
|
|
sctp_addto_chunk(retval, sizeof(__u32) * num_gabs,
|
2008-10-09 04:19:01 +07:00
|
|
|
gabs);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Add the duplicate TSN information. */
|
2012-12-01 11:49:42 +07:00
|
|
|
if (num_dup_tsns) {
|
|
|
|
aptr->stats.idupchunks += num_dup_tsns;
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_addto_chunk(retval, sizeof(__u32) * num_dup_tsns,
|
|
|
|
sctp_tsnmap_get_dups(map));
|
2012-12-01 11:49:42 +07:00
|
|
|
}
|
2012-06-30 10:04:26 +07:00
|
|
|
/* Once we have a sack generated, check to see what our sack
|
|
|
|
* generation is, if its 0, reset the transports to 0, and reset
|
|
|
|
* the association generation to 1
|
|
|
|
*
|
|
|
|
* The idea is that zero is never used as a valid generation for the
|
|
|
|
* association so no transport will match after a wrap event like this,
|
|
|
|
* Until the next sack
|
|
|
|
*/
|
|
|
|
if (++aptr->peer.sack_generation == 0) {
|
|
|
|
list_for_each_entry(trans, &asoc->peer.transport_addr_list,
|
|
|
|
transports)
|
|
|
|
trans->sack_generation = 0;
|
|
|
|
aptr->peer.sack_generation = 1;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Make a SHUTDOWN chunk. */
|
|
|
|
struct sctp_chunk *sctp_make_shutdown(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
sctp_shutdownhdr_t shut;
|
|
|
|
__u32 ctsn;
|
|
|
|
|
|
|
|
ctsn = sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map);
|
|
|
|
shut.cum_tsn_ack = htonl(ctsn);
|
|
|
|
|
2013-08-10 09:05:36 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_SHUTDOWN, 0,
|
2016-03-11 04:33:07 +07:00
|
|
|
sizeof(sctp_shutdownhdr_t), GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
retval->subh.shutdown_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(shut), &shut);
|
|
|
|
|
|
|
|
if (chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct sctp_chunk *sctp_make_shutdown_ack(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_SHUTDOWN_ACK, 0, 0,
|
|
|
|
GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [ACK back to where the SHUTDOWN came from.]
|
|
|
|
*/
|
|
|
|
if (retval && chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct sctp_chunk *sctp_make_shutdown_complete(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
__u8 flags = 0;
|
|
|
|
|
2005-04-29 01:58:43 +07:00
|
|
|
/* Set the T-bit if we have no association (vtag will be
|
|
|
|
* reflected)
|
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
flags |= asoc ? 0 : SCTP_CHUNK_FLAG_T;
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_SHUTDOWN_COMPLETE, flags,
|
|
|
|
0, GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [Report SHUTDOWN COMPLETE back to where the SHUTDOWN ACK
|
|
|
|
* came from.]
|
|
|
|
*/
|
|
|
|
if (retval && chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
return retval;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Create an ABORT. Note that we set the T bit if we have no
|
2005-04-29 01:58:43 +07:00
|
|
|
* association, except when responding to an INIT (sctpimpguide 2.41).
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_abort(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
|
|
|
const size_t hint)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
__u8 flags = 0;
|
|
|
|
|
2005-04-29 01:58:43 +07:00
|
|
|
/* Set the T-bit if we have no association and 'chunk' is not
|
|
|
|
* an INIT (vtag will be reflected).
|
|
|
|
*/
|
|
|
|
if (!asoc) {
|
|
|
|
if (chunk && chunk->chunk_hdr &&
|
|
|
|
chunk->chunk_hdr->type == SCTP_CID_INIT)
|
|
|
|
flags = 0;
|
|
|
|
else
|
|
|
|
flags = SCTP_CHUNK_FLAG_T;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_ABORT, flags, hint,
|
|
|
|
GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [ABORT back to where the offender came from.]
|
|
|
|
*/
|
|
|
|
if (retval && chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Helper to create ABORT with a NO_USER_DATA error. */
|
|
|
|
struct sctp_chunk *sctp_make_abort_no_data(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk, __u32 tsn)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
2006-11-21 08:26:34 +07:00
|
|
|
__be32 payload;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t)
|
|
|
|
+ sizeof(tsn));
|
|
|
|
|
|
|
|
if (!retval)
|
|
|
|
goto no_mem;
|
|
|
|
|
|
|
|
/* Put the tsn back into network byte order. */
|
|
|
|
payload = htonl(tsn);
|
2007-08-21 14:50:01 +07:00
|
|
|
sctp_init_cause(retval, SCTP_ERROR_NO_DATA, sizeof(payload));
|
|
|
|
sctp_addto_chunk(retval, sizeof(payload), (const void *)&payload);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [ABORT back to where the offender came from.]
|
|
|
|
*/
|
|
|
|
if (chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
no_mem:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error. */
|
|
|
|
struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc,
|
2014-04-07 08:25:44 +07:00
|
|
|
struct msghdr *msg,
|
2006-08-23 01:50:39 +07:00
|
|
|
size_t paylen)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
2006-08-23 01:50:39 +07:00
|
|
|
void *payload = NULL;
|
|
|
|
int err;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2006-08-23 01:50:39 +07:00
|
|
|
retval = sctp_make_abort(asoc, NULL, sizeof(sctp_errhdr_t) + paylen);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto err_chunk;
|
|
|
|
|
|
|
|
if (paylen) {
|
|
|
|
/* Put the msg_iov together into payload. */
|
2006-08-23 01:50:39 +07:00
|
|
|
payload = kmalloc(paylen, GFP_KERNEL);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!payload)
|
|
|
|
goto err_payload;
|
2006-08-23 01:50:39 +07:00
|
|
|
|
2014-04-07 08:25:44 +07:00
|
|
|
err = memcpy_from_msg(payload, msg, paylen);
|
2006-08-23 01:50:39 +07:00
|
|
|
if (err < 0)
|
|
|
|
goto err_copy;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2007-08-21 14:50:01 +07:00
|
|
|
sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, paylen);
|
|
|
|
sctp_addto_chunk(retval, paylen, payload);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (paylen)
|
|
|
|
kfree(payload);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
err_copy:
|
|
|
|
kfree(payload);
|
|
|
|
err_payload:
|
|
|
|
sctp_chunk_free(retval);
|
|
|
|
retval = NULL;
|
|
|
|
err_chunk:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2007-09-12 20:16:21 +07:00
|
|
|
/* Append bytes to the end of a parameter. Will panic if chunk is not big
|
|
|
|
* enough.
|
|
|
|
*/
|
|
|
|
static void *sctp_addto_param(struct sctp_chunk *chunk, int len,
|
|
|
|
const void *data)
|
|
|
|
{
|
|
|
|
void *target;
|
|
|
|
int chunklen = ntohs(chunk->chunk_hdr->length);
|
|
|
|
|
|
|
|
target = skb_put(chunk->skb, len);
|
|
|
|
|
2009-11-24 03:53:56 +07:00
|
|
|
if (data)
|
|
|
|
memcpy(target, data, len);
|
|
|
|
else
|
|
|
|
memset(target, 0, len);
|
2007-09-12 20:16:21 +07:00
|
|
|
|
|
|
|
/* Adjust the chunk length field. */
|
|
|
|
chunk->chunk_hdr->length = htons(chunklen + len);
|
|
|
|
chunk->chunk_end = skb_tail_pointer(chunk->skb);
|
|
|
|
|
|
|
|
return target;
|
|
|
|
}
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Make an ABORT chunk with a PROTOCOL VIOLATION cause code. */
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_chunk *sctp_make_abort_violation(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
|
|
|
const __u8 *payload,
|
|
|
|
const size_t paylen)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
struct sctp_paramhdr phdr;
|
|
|
|
|
|
|
|
retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t) + paylen
|
2007-08-21 14:50:01 +07:00
|
|
|
+ sizeof(sctp_paramhdr_t));
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto end;
|
|
|
|
|
2007-08-21 14:50:01 +07:00
|
|
|
sctp_init_cause(retval, SCTP_ERROR_PROTO_VIOLATION, paylen
|
|
|
|
+ sizeof(sctp_paramhdr_t));
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
phdr.type = htons(chunk->chunk_hdr->type);
|
|
|
|
phdr.length = chunk->chunk_hdr->length;
|
2007-08-21 14:50:01 +07:00
|
|
|
sctp_addto_chunk(retval, paylen, payload);
|
|
|
|
sctp_addto_param(retval, sizeof(sctp_paramhdr_t), &phdr);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
end:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2008-09-30 19:32:24 +07:00
|
|
|
struct sctp_chunk *sctp_make_violation_paramlen(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
|
|
|
struct sctp_paramhdr *param)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
static const char error[] = "The following parameter had invalid length:";
|
|
|
|
size_t payload_len = sizeof(error) + sizeof(sctp_errhdr_t) +
|
|
|
|
sizeof(sctp_paramhdr_t);
|
|
|
|
|
|
|
|
retval = sctp_make_abort(asoc, chunk, payload_len);
|
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
sctp_init_cause(retval, SCTP_ERROR_PROTO_VIOLATION,
|
|
|
|
sizeof(error) + sizeof(sctp_paramhdr_t));
|
|
|
|
sctp_addto_chunk(retval, sizeof(error), error);
|
|
|
|
sctp_addto_param(retval, sizeof(sctp_paramhdr_t), param);
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2012-11-20 17:14:30 +07:00
|
|
|
struct sctp_chunk *sctp_make_violation_max_retrans(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
static const char error[] = "Association exceeded its max_retans count";
|
|
|
|
size_t payload_len = sizeof(error) + sizeof(sctp_errhdr_t);
|
|
|
|
|
|
|
|
retval = sctp_make_abort(asoc, chunk, payload_len);
|
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
sctp_init_cause(retval, SCTP_ERROR_PROTO_VIOLATION, sizeof(error));
|
|
|
|
sctp_addto_chunk(retval, sizeof(error), error);
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Make a HEARTBEAT chunk. */
|
|
|
|
struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc,
|
2011-04-20 04:31:47 +07:00
|
|
|
const struct sctp_transport *transport)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2011-04-20 04:31:47 +07:00
|
|
|
struct sctp_chunk *retval;
|
|
|
|
sctp_sender_hb_info_t hbinfo;
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_HEARTBEAT, 0,
|
|
|
|
sizeof(hbinfo), GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
2011-04-20 04:31:47 +07:00
|
|
|
hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
|
|
|
|
hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
|
|
|
|
hbinfo.daddr = transport->ipaddr;
|
|
|
|
hbinfo.sent_at = jiffies;
|
|
|
|
hbinfo.hb_nonce = transport->hb_nonce;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Cast away the 'const', as this is just telling the chunk
|
|
|
|
* what transport it belongs to.
|
|
|
|
*/
|
|
|
|
retval->transport = (struct sctp_transport *) transport;
|
2011-04-20 04:31:47 +07:00
|
|
|
retval->subh.hbs_hdr = sctp_addto_chunk(retval, sizeof(hbinfo),
|
|
|
|
&hbinfo);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct sctp_chunk *sctp_make_heartbeat_ack(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
|
|
|
const void *payload, const size_t paylen)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_HEARTBEAT_ACK, 0, paylen,
|
|
|
|
GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
retval->subh.hbs_hdr = sctp_addto_chunk(retval, paylen, payload);
|
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, * etc.) to the same destination transport
|
|
|
|
* address from which it * received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
* [HBACK back to where the HEARTBEAT came from.]
|
|
|
|
*/
|
|
|
|
if (chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Create an Operation Error chunk with the specified space reserved.
|
|
|
|
* This routine can be used for containing multiple causes in the chunk.
|
|
|
|
*/
|
|
|
|
static struct sctp_chunk *sctp_make_op_error_space(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
|
|
|
size_t size)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
|
2013-08-10 09:05:36 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_ERROR, 0,
|
2016-03-11 04:33:07 +07:00
|
|
|
sizeof(sctp_errhdr_t) + size, GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
/* RFC 2960 6.4 Multi-homed SCTP Endpoints
|
|
|
|
*
|
|
|
|
* An endpoint SHOULD transmit reply chunks (e.g., SACK,
|
|
|
|
* HEARTBEAT ACK, etc.) to the same destination transport
|
|
|
|
* address from which it received the DATA or control chunk
|
|
|
|
* to which it is replying.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
if (chunk)
|
|
|
|
retval->transport = chunk->transport;
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
/* Create an Operation Error chunk of a fixed size,
|
|
|
|
* specifically, max(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT)
|
|
|
|
* This is a helper function to allocate an error chunk for
|
|
|
|
* for those invalid parameter codes in which we may not want
|
2012-12-27 23:33:02 +07:00
|
|
|
* to report all the errors, if the incoming chunk is large
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
*/
|
|
|
|
static inline struct sctp_chunk *sctp_make_op_error_fixed(
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
size_t size = asoc ? asoc->pathmtu : 0;
|
|
|
|
|
|
|
|
if (!size)
|
|
|
|
size = SCTP_DEFAULT_MAXSEGMENT;
|
|
|
|
|
|
|
|
return sctp_make_op_error_space(asoc, chunk, size);
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Create an Operation Error chunk. */
|
|
|
|
struct sctp_chunk *sctp_make_op_error(const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *chunk,
|
2006-11-21 08:00:05 +07:00
|
|
|
__be16 cause_code, const void *payload,
|
2009-11-24 03:53:56 +07:00
|
|
|
size_t paylen, size_t reserve_tail)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
|
2009-11-24 03:53:56 +07:00
|
|
|
retval = sctp_make_op_error_space(asoc, chunk, paylen + reserve_tail);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
2009-11-24 03:53:56 +07:00
|
|
|
sctp_init_cause(retval, cause_code, paylen + reserve_tail);
|
2007-08-21 14:50:01 +07:00
|
|
|
sctp_addto_chunk(retval, paylen, payload);
|
2009-11-24 03:53:56 +07:00
|
|
|
if (reserve_tail)
|
|
|
|
sctp_addto_param(retval, reserve_tail, NULL);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2007-09-17 09:32:45 +07:00
|
|
|
struct sctp_chunk *sctp_make_auth(const struct sctp_association *asoc)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
struct sctp_hmac *hmac_desc;
|
|
|
|
struct sctp_authhdr auth_hdr;
|
|
|
|
__u8 *hmac;
|
|
|
|
|
|
|
|
/* Get the first hmac that the peer told us to use */
|
|
|
|
hmac_desc = sctp_auth_asoc_get_hmac(asoc);
|
|
|
|
if (unlikely(!hmac_desc))
|
|
|
|
return NULL;
|
|
|
|
|
2013-08-10 09:05:36 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_AUTH, 0,
|
2016-03-11 04:33:07 +07:00
|
|
|
hmac_desc->hmac_len + sizeof(sctp_authhdr_t),
|
|
|
|
GFP_ATOMIC);
|
2007-09-17 09:32:45 +07:00
|
|
|
if (!retval)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
auth_hdr.hmac_id = htons(hmac_desc->hmac_id);
|
|
|
|
auth_hdr.shkey_id = htons(asoc->active_key_id);
|
|
|
|
|
|
|
|
retval->subh.auth_hdr = sctp_addto_chunk(retval, sizeof(sctp_authhdr_t),
|
|
|
|
&auth_hdr);
|
|
|
|
|
|
|
|
hmac = skb_put(retval->skb, hmac_desc->hmac_len);
|
|
|
|
memset(hmac, 0, hmac_desc->hmac_len);
|
|
|
|
|
|
|
|
/* Adjust the chunk header to include the empty MAC */
|
|
|
|
retval->chunk_hdr->length =
|
|
|
|
htons(ntohs(retval->chunk_hdr->length) + hmac_desc->hmac_len);
|
|
|
|
retval->chunk_end = skb_tail_pointer(retval->skb);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/********************************************************************
|
|
|
|
* 2nd Level Abstractions
|
|
|
|
********************************************************************/
|
|
|
|
|
|
|
|
/* Turn an skb into a chunk.
|
|
|
|
* FIXME: Eventually move the structure directly inside the skb->cb[].
|
2013-10-26 15:06:31 +07:00
|
|
|
*
|
|
|
|
* sctpimpguide-05.txt Section 2.8.2
|
|
|
|
* M1) Each time a new DATA chunk is transmitted
|
|
|
|
* set the 'TSN.Missing.Report' count for that TSN to 0. The
|
|
|
|
* 'TSN.Missing.Report' count will be used to determine missing chunks
|
|
|
|
* and when to fast retransmit.
|
|
|
|
*
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_chunkify(struct sk_buff *skb,
|
|
|
|
const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
struct sock *sk, gfp_t gfp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = kmem_cache_zalloc(sctp_chunk_cachep, gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
net: sctp: rework debugging framework to use pr_debug and friends
We should get rid of all own SCTP debug printk macros and use the ones
that the kernel offers anyway instead. This makes the code more readable
and conform to the kernel code, and offers all the features of dynamic
debbuging that pr_debug() et al has, such as only turning on/off portions
of debug messages at runtime through debugfs. The runtime cost of having
CONFIG_DYNAMIC_DEBUG enabled, but none of the debug statements printing,
is negligible [1]. If kernel debugging is completly turned off, then these
statements will also compile into "empty" functions.
While we're at it, we also need to change the Kconfig option as it /now/
only refers to the ifdef'ed code portions in outqueue.c that enable further
debugging/tracing of SCTP transaction fields. Also, since SCTP_ASSERT code
was enabled with this Kconfig option and has now been removed, we
transform those code parts into WARNs resp. where appropriate BUG_ONs so
that those bugs can be more easily detected as probably not many people
have SCTP debugging permanently turned on.
To turn on all SCTP debugging, the following steps are needed:
# mount -t debugfs none /sys/kernel/debug
# echo -n 'module sctp +p' > /sys/kernel/debug/dynamic_debug/control
This can be done more fine-grained on a per file, per line basis and others
as described in [2].
[1] https://www.kernel.org/doc/ols/2009/ols2009-pages-39-46.pdf
[2] Documentation/dynamic-debug-howto.txt
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-29 00:49:40 +07:00
|
|
|
if (!sk)
|
|
|
|
pr_debug("%s: chunkifying skb:%p w/o an sk\n", __func__, skb);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2005-07-09 11:47:49 +07:00
|
|
|
INIT_LIST_HEAD(&retval->list);
|
2005-04-17 05:20:36 +07:00
|
|
|
retval->skb = skb;
|
|
|
|
retval->asoc = (struct sctp_association *)asoc;
|
|
|
|
retval->singleton = 1;
|
|
|
|
|
2013-10-26 15:06:31 +07:00
|
|
|
retval->fast_retransmit = SCTP_CAN_FRTX;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Polish the bead hole. */
|
|
|
|
INIT_LIST_HEAD(&retval->transmitted_list);
|
|
|
|
INIT_LIST_HEAD(&retval->frag_list);
|
|
|
|
SCTP_DBG_OBJCNT_INC(chunk);
|
|
|
|
atomic_set(&retval->refcnt, 1);
|
|
|
|
|
|
|
|
nodata:
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set chunk->source and dest based on the IP header in chunk->skb. */
|
|
|
|
void sctp_init_addrs(struct sctp_chunk *chunk, union sctp_addr *src,
|
|
|
|
union sctp_addr *dest)
|
|
|
|
{
|
2006-11-21 08:09:01 +07:00
|
|
|
memcpy(&chunk->source, src, sizeof(union sctp_addr));
|
2006-11-21 08:13:38 +07:00
|
|
|
memcpy(&chunk->dest, dest, sizeof(union sctp_addr));
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Extract the source address from a chunk. */
|
|
|
|
const union sctp_addr *sctp_source(const struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
/* If we have a known transport, use that. */
|
|
|
|
if (chunk->transport) {
|
2006-11-21 08:12:25 +07:00
|
|
|
return &chunk->transport->ipaddr;
|
2005-04-17 05:20:36 +07:00
|
|
|
} else {
|
|
|
|
/* Otherwise, extract it from the IP header. */
|
2006-11-21 08:12:25 +07:00
|
|
|
return &chunk->source;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Create a new chunk, setting the type and flags headers from the
|
|
|
|
* arguments, reserving enough space for a 'paylen' byte payload.
|
|
|
|
*/
|
2013-08-10 09:05:36 +07:00
|
|
|
static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
__u8 type, __u8 flags, int paylen,
|
|
|
|
gfp_t gfp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
sctp_chunkhdr_t *chunk_hdr;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sock *sk;
|
|
|
|
|
|
|
|
/* No need to allocate LL here, as this is only a chunk. */
|
2016-09-21 18:45:55 +07:00
|
|
|
skb = alloc_skb(SCTP_PAD4(sizeof(sctp_chunkhdr_t) + paylen), gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!skb)
|
|
|
|
goto nodata;
|
|
|
|
|
|
|
|
/* Make room for the chunk header. */
|
|
|
|
chunk_hdr = (sctp_chunkhdr_t *)skb_put(skb, sizeof(sctp_chunkhdr_t));
|
|
|
|
chunk_hdr->type = type;
|
|
|
|
chunk_hdr->flags = flags;
|
|
|
|
chunk_hdr->length = htons(sizeof(sctp_chunkhdr_t));
|
|
|
|
|
|
|
|
sk = asoc ? asoc->base.sk : NULL;
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_chunkify(skb, asoc, sk, gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
goto nodata;
|
|
|
|
}
|
|
|
|
|
|
|
|
retval->chunk_hdr = chunk_hdr;
|
|
|
|
retval->chunk_end = ((__u8 *)chunk_hdr) + sizeof(struct sctp_chunkhdr);
|
|
|
|
|
2007-09-17 09:32:45 +07:00
|
|
|
/* Determine if the chunk needs to be authenticated */
|
|
|
|
if (sctp_auth_send_cid(type, asoc))
|
|
|
|
retval->auth = 1;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
return retval;
|
|
|
|
nodata:
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2013-08-10 09:05:36 +07:00
|
|
|
static struct sctp_chunk *sctp_make_data(const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
__u8 flags, int paylen, gfp_t gfp)
|
2013-08-10 09:05:36 +07:00
|
|
|
{
|
2016-03-11 04:33:07 +07:00
|
|
|
return _sctp_make_chunk(asoc, SCTP_CID_DATA, flags, paylen, gfp);
|
2013-08-10 09:05:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct sctp_chunk *sctp_make_control(const struct sctp_association *asoc,
|
2016-03-11 04:33:07 +07:00
|
|
|
__u8 type, __u8 flags, int paylen,
|
|
|
|
gfp_t gfp)
|
2013-08-10 09:05:36 +07:00
|
|
|
{
|
2016-03-11 04:33:07 +07:00
|
|
|
struct sctp_chunk *chunk;
|
2013-08-10 09:05:36 +07:00
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
chunk = _sctp_make_chunk(asoc, type, flags, paylen, gfp);
|
2013-08-10 09:05:36 +07:00
|
|
|
if (chunk)
|
|
|
|
sctp_control_set_owner_w(chunk);
|
|
|
|
|
|
|
|
return chunk;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Release the memory occupied by a chunk. */
|
|
|
|
static void sctp_chunk_destroy(struct sctp_chunk *chunk)
|
|
|
|
{
|
2007-12-21 05:11:47 +07:00
|
|
|
BUG_ON(!list_empty(&chunk->list));
|
|
|
|
list_del_init(&chunk->transmitted_list);
|
|
|
|
|
2014-03-04 22:35:51 +07:00
|
|
|
consume_skb(chunk->skb);
|
|
|
|
consume_skb(chunk->auth_chunk);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
SCTP_DBG_OBJCNT_DEC(chunk);
|
|
|
|
kmem_cache_free(sctp_chunk_cachep, chunk);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Possibly, free the chunk. */
|
|
|
|
void sctp_chunk_free(struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
/* Release our reference on the message tracker. */
|
|
|
|
if (chunk->msg)
|
|
|
|
sctp_datamsg_put(chunk->msg);
|
|
|
|
|
|
|
|
sctp_chunk_put(chunk);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Grab a reference to the chunk. */
|
|
|
|
void sctp_chunk_hold(struct sctp_chunk *ch)
|
|
|
|
{
|
|
|
|
atomic_inc(&ch->refcnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Release a reference to the chunk. */
|
|
|
|
void sctp_chunk_put(struct sctp_chunk *ch)
|
|
|
|
{
|
|
|
|
if (atomic_dec_and_test(&ch->refcnt))
|
|
|
|
sctp_chunk_destroy(ch);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Append bytes to the end of a chunk. Will panic if chunk is not big
|
|
|
|
* enough.
|
|
|
|
*/
|
|
|
|
void *sctp_addto_chunk(struct sctp_chunk *chunk, int len, const void *data)
|
|
|
|
{
|
|
|
|
void *target;
|
|
|
|
void *padding;
|
|
|
|
int chunklen = ntohs(chunk->chunk_hdr->length);
|
2016-09-21 18:45:55 +07:00
|
|
|
int padlen = SCTP_PAD4(chunklen) - chunklen;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
padding = skb_put(chunk->skb, padlen);
|
|
|
|
target = skb_put(chunk->skb, len);
|
|
|
|
|
|
|
|
memset(padding, 0, padlen);
|
|
|
|
memcpy(target, data, len);
|
|
|
|
|
|
|
|
/* Adjust the chunk length field. */
|
|
|
|
chunk->chunk_hdr->length = htons(chunklen + padlen + len);
|
2007-04-20 10:29:13 +07:00
|
|
|
chunk->chunk_end = skb_tail_pointer(chunk->skb);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
return target;
|
|
|
|
}
|
|
|
|
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
/* Append bytes to the end of a chunk. Returns NULL if there isn't sufficient
|
|
|
|
* space in the chunk
|
|
|
|
*/
|
2014-01-10 13:31:11 +07:00
|
|
|
static void *sctp_addto_chunk_fixed(struct sctp_chunk *chunk,
|
|
|
|
int len, const void *data)
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
{
|
2010-05-18 12:51:58 +07:00
|
|
|
if (skb_tailroom(chunk->skb) >= len)
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
return sctp_addto_chunk(chunk, len, data);
|
|
|
|
else
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Append bytes from user space to the end of a chunk. Will panic if
|
|
|
|
* chunk is not big enough.
|
|
|
|
* Returns a kernel err value.
|
|
|
|
*/
|
2014-11-15 13:11:23 +07:00
|
|
|
int sctp_user_addto_chunk(struct sctp_chunk *chunk, int len,
|
|
|
|
struct iov_iter *from)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2014-11-15 13:11:23 +07:00
|
|
|
void *target;
|
|
|
|
ssize_t copied;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Make room in chunk for data. */
|
|
|
|
target = skb_put(chunk->skb, len);
|
|
|
|
|
|
|
|
/* Copy data (whole iovec) into chunk */
|
2014-11-15 13:11:23 +07:00
|
|
|
copied = copy_from_iter(target, len, from);
|
|
|
|
if (copied != len)
|
|
|
|
return -EFAULT;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Adjust the chunk length field. */
|
|
|
|
chunk->chunk_hdr->length =
|
|
|
|
htons(ntohs(chunk->chunk_hdr->length) + len);
|
2007-04-20 10:29:13 +07:00
|
|
|
chunk->chunk_end = skb_tail_pointer(chunk->skb);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2014-11-15 13:11:23 +07:00
|
|
|
return 0;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Helper function to assign a TSN if needed. This assumes that both
|
|
|
|
* the data_hdr and association have already been assigned.
|
|
|
|
*/
|
|
|
|
void sctp_chunk_assign_ssn(struct sctp_chunk *chunk)
|
|
|
|
{
|
2007-08-03 03:51:42 +07:00
|
|
|
struct sctp_datamsg *msg;
|
|
|
|
struct sctp_chunk *lchunk;
|
|
|
|
struct sctp_stream *stream;
|
2005-04-17 05:20:36 +07:00
|
|
|
__u16 ssn;
|
|
|
|
__u16 sid;
|
|
|
|
|
|
|
|
if (chunk->has_ssn)
|
|
|
|
return;
|
|
|
|
|
2007-08-03 03:51:42 +07:00
|
|
|
/* All fragments will be on the same stream */
|
|
|
|
sid = ntohs(chunk->subh.data_hdr->stream);
|
|
|
|
stream = &chunk->asoc->ssnmap->out;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-08-03 03:51:42 +07:00
|
|
|
/* Now assign the sequence number to the entire message.
|
|
|
|
* All fragments must have the same stream sequence number.
|
|
|
|
*/
|
|
|
|
msg = chunk->msg;
|
|
|
|
list_for_each_entry(lchunk, &msg->chunks, frag_list) {
|
|
|
|
if (lchunk->chunk_hdr->flags & SCTP_DATA_UNORDERED) {
|
|
|
|
ssn = 0;
|
|
|
|
} else {
|
|
|
|
if (lchunk->chunk_hdr->flags & SCTP_DATA_LAST_FRAG)
|
|
|
|
ssn = sctp_ssn_next(stream, sid);
|
|
|
|
else
|
|
|
|
ssn = sctp_ssn_peek(stream, sid);
|
|
|
|
}
|
|
|
|
|
|
|
|
lchunk->subh.data_hdr->ssn = htons(ssn);
|
|
|
|
lchunk->has_ssn = 1;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Helper function to assign a TSN if needed. This assumes that both
|
|
|
|
* the data_hdr and association have already been assigned.
|
|
|
|
*/
|
|
|
|
void sctp_chunk_assign_tsn(struct sctp_chunk *chunk)
|
|
|
|
{
|
|
|
|
if (!chunk->has_tsn) {
|
|
|
|
/* This is the last possible instant to
|
|
|
|
* assign a TSN.
|
|
|
|
*/
|
|
|
|
chunk->subh.data_hdr->tsn =
|
|
|
|
htonl(sctp_association_get_next_tsn(chunk->asoc));
|
|
|
|
chunk->has_tsn = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Create a CLOSED association to use with an incoming packet. */
|
|
|
|
struct sctp_association *sctp_make_temp_asoc(const struct sctp_endpoint *ep,
|
2005-07-12 10:57:47 +07:00
|
|
|
struct sctp_chunk *chunk,
|
2005-10-07 13:46:04 +07:00
|
|
|
gfp_t gfp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
struct sctp_association *asoc;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
sctp_scope_t scope;
|
|
|
|
|
|
|
|
/* Create the bare association. */
|
|
|
|
scope = sctp_scope(sctp_source(chunk));
|
|
|
|
asoc = sctp_association_new(ep, ep->base.sk, scope, gfp);
|
|
|
|
if (!asoc)
|
|
|
|
goto nodata;
|
|
|
|
asoc->temp = 1;
|
|
|
|
skb = chunk->skb;
|
|
|
|
/* Create an entry for the source address of the packet. */
|
2016-07-14 01:08:58 +07:00
|
|
|
SCTP_INPUT_CB(skb)->af->from_skb(&asoc->c.peer_addr, skb, 1);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
nodata:
|
|
|
|
return asoc;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Build a cookie representing asoc.
|
|
|
|
* This INCLUDES the param header needed to put the cookie in the INIT ACK.
|
|
|
|
*/
|
|
|
|
static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
|
|
|
|
const struct sctp_association *asoc,
|
|
|
|
const struct sctp_chunk *init_chunk,
|
|
|
|
int *cookie_len,
|
|
|
|
const __u8 *raw_addrs, int addrs_len)
|
|
|
|
{
|
|
|
|
sctp_cookie_param_t *retval;
|
|
|
|
struct sctp_signed_cookie *cookie;
|
|
|
|
int headersize, bodysize;
|
|
|
|
|
2006-01-18 02:52:12 +07:00
|
|
|
/* Header size is static data prior to the actual cookie, including
|
|
|
|
* any padding.
|
|
|
|
*/
|
2007-02-09 21:25:18 +07:00
|
|
|
headersize = sizeof(sctp_paramhdr_t) +
|
|
|
|
(sizeof(struct sctp_signed_cookie) -
|
2006-01-18 02:52:12 +07:00
|
|
|
sizeof(struct sctp_cookie));
|
2005-04-17 05:20:36 +07:00
|
|
|
bodysize = sizeof(struct sctp_cookie)
|
|
|
|
+ ntohs(init_chunk->chunk_hdr->length) + addrs_len;
|
|
|
|
|
|
|
|
/* Pad out the cookie to a multiple to make the signature
|
|
|
|
* functions simpler to write.
|
|
|
|
*/
|
|
|
|
if (bodysize % SCTP_COOKIE_MULTIPLE)
|
|
|
|
bodysize += SCTP_COOKIE_MULTIPLE
|
|
|
|
- (bodysize % SCTP_COOKIE_MULTIPLE);
|
|
|
|
*cookie_len = headersize + bodysize;
|
|
|
|
|
|
|
|
/* Clear this memory since we are sending this data structure
|
|
|
|
* out on the network.
|
|
|
|
*/
|
2006-11-21 10:20:33 +07:00
|
|
|
retval = kzalloc(*cookie_len, GFP_ATOMIC);
|
|
|
|
if (!retval)
|
|
|
|
goto nodata;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
cookie = (struct sctp_signed_cookie *) retval->body;
|
|
|
|
|
|
|
|
/* Set up the parameter header. */
|
|
|
|
retval->p.type = SCTP_PARAM_STATE_COOKIE;
|
|
|
|
retval->p.length = htons(*cookie_len);
|
|
|
|
|
|
|
|
/* Copy the cookie part of the association itself. */
|
|
|
|
cookie->c = asoc->c;
|
|
|
|
/* Save the raw address list length in the cookie. */
|
|
|
|
cookie->c.raw_addr_list_len = addrs_len;
|
|
|
|
|
|
|
|
/* Remember PR-SCTP capability. */
|
|
|
|
cookie->c.prsctp_capable = asoc->peer.prsctp_capable;
|
|
|
|
|
2006-12-21 07:07:04 +07:00
|
|
|
/* Save adaptation indication in the cookie. */
|
|
|
|
cookie->c.adaptation_ind = asoc->peer.adaptation_ind;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Set an expiration time for the cookie. */
|
2013-06-25 23:17:27 +07:00
|
|
|
cookie->c.expiration = ktime_add(asoc->cookie_life,
|
2015-12-05 00:14:03 +07:00
|
|
|
ktime_get_real());
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Copy the peer's init packet. */
|
|
|
|
memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
|
|
|
|
ntohs(init_chunk->chunk_hdr->length));
|
|
|
|
|
|
|
|
/* Copy the raw local address list of the association. */
|
|
|
|
memcpy((__u8 *)&cookie->c.peer_init[0] +
|
|
|
|
ntohs(init_chunk->chunk_hdr->length), raw_addrs, addrs_len);
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
if (sctp_sk(ep->base.sk)->hmac) {
|
2016-01-24 20:20:12 +07:00
|
|
|
SHASH_DESC_ON_STACK(desc, sctp_sk(ep->base.sk)->hmac);
|
|
|
|
int err;
|
2006-08-20 12:07:14 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Sign the message. */
|
2016-01-24 20:20:12 +07:00
|
|
|
desc->tfm = sctp_sk(ep->base.sk)->hmac;
|
|
|
|
desc->flags = 0;
|
|
|
|
|
|
|
|
err = crypto_shash_setkey(desc->tfm, ep->secret_key,
|
|
|
|
sizeof(ep->secret_key)) ?:
|
|
|
|
crypto_shash_digest(desc, (u8 *)&cookie->c, bodysize,
|
|
|
|
cookie->signature);
|
|
|
|
shash_desc_zero(desc);
|
|
|
|
if (err)
|
2006-08-20 12:07:14 +07:00
|
|
|
goto free_cookie;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
return retval;
|
2006-08-20 12:07:14 +07:00
|
|
|
|
|
|
|
free_cookie:
|
|
|
|
kfree(retval);
|
|
|
|
nodata:
|
|
|
|
*cookie_len = 0;
|
|
|
|
return NULL;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Unpack the cookie from COOKIE ECHO chunk, recreating the association. */
|
|
|
|
struct sctp_association *sctp_unpack_cookie(
|
|
|
|
const struct sctp_endpoint *ep,
|
|
|
|
const struct sctp_association *asoc,
|
2005-10-07 13:46:04 +07:00
|
|
|
struct sctp_chunk *chunk, gfp_t gfp,
|
2005-04-17 05:20:36 +07:00
|
|
|
int *error, struct sctp_chunk **errp)
|
|
|
|
{
|
|
|
|
struct sctp_association *retval = NULL;
|
|
|
|
struct sctp_signed_cookie *cookie;
|
|
|
|
struct sctp_cookie *bear_cookie;
|
|
|
|
int headersize, bodysize, fixed_size;
|
2006-01-18 02:55:57 +07:00
|
|
|
__u8 *digest = ep->digest;
|
2013-02-12 12:15:33 +07:00
|
|
|
unsigned int len;
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_scope_t scope;
|
|
|
|
struct sk_buff *skb = chunk->skb;
|
2013-06-25 23:17:27 +07:00
|
|
|
ktime_t kt;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2006-01-18 02:52:12 +07:00
|
|
|
/* Header size is static data prior to the actual cookie, including
|
|
|
|
* any padding.
|
|
|
|
*/
|
|
|
|
headersize = sizeof(sctp_chunkhdr_t) +
|
2007-02-09 21:25:18 +07:00
|
|
|
(sizeof(struct sctp_signed_cookie) -
|
2006-01-18 02:52:12 +07:00
|
|
|
sizeof(struct sctp_cookie));
|
2005-04-17 05:20:36 +07:00
|
|
|
bodysize = ntohs(chunk->chunk_hdr->length) - headersize;
|
|
|
|
fixed_size = headersize + sizeof(struct sctp_cookie);
|
|
|
|
|
|
|
|
/* Verify that the chunk looks like it even has a cookie.
|
|
|
|
* There must be enough room for our cookie and our peer's
|
|
|
|
* INIT chunk.
|
|
|
|
*/
|
|
|
|
len = ntohs(chunk->chunk_hdr->length);
|
|
|
|
if (len < fixed_size + sizeof(struct sctp_chunkhdr))
|
|
|
|
goto malformed;
|
|
|
|
|
|
|
|
/* Verify that the cookie has been padded out. */
|
|
|
|
if (bodysize % SCTP_COOKIE_MULTIPLE)
|
|
|
|
goto malformed;
|
|
|
|
|
|
|
|
/* Process the cookie. */
|
|
|
|
cookie = chunk->subh.cookie_hdr;
|
|
|
|
bear_cookie = &cookie->c;
|
|
|
|
|
|
|
|
if (!sctp_sk(ep->base.sk)->hmac)
|
|
|
|
goto no_hmac;
|
|
|
|
|
|
|
|
/* Check the signature. */
|
2016-01-24 20:20:12 +07:00
|
|
|
{
|
|
|
|
SHASH_DESC_ON_STACK(desc, sctp_sk(ep->base.sk)->hmac);
|
|
|
|
int err;
|
|
|
|
|
|
|
|
desc->tfm = sctp_sk(ep->base.sk)->hmac;
|
|
|
|
desc->flags = 0;
|
|
|
|
|
|
|
|
err = crypto_shash_setkey(desc->tfm, ep->secret_key,
|
|
|
|
sizeof(ep->secret_key)) ?:
|
|
|
|
crypto_shash_digest(desc, (u8 *)bear_cookie, bodysize,
|
|
|
|
digest);
|
|
|
|
shash_desc_zero(desc);
|
|
|
|
|
|
|
|
if (err) {
|
|
|
|
*error = -SCTP_IERROR_NOMEM;
|
|
|
|
goto fail;
|
|
|
|
}
|
2006-08-20 12:07:14 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
|
2013-02-12 12:15:33 +07:00
|
|
|
*error = -SCTP_IERROR_BAD_SIG;
|
|
|
|
goto fail;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
no_hmac:
|
|
|
|
/* IG Section 2.35.2:
|
|
|
|
* 3) Compare the port numbers and the verification tag contained
|
|
|
|
* within the COOKIE ECHO chunk to the actual port numbers and the
|
|
|
|
* verification tag within the SCTP common header of the received
|
|
|
|
* packet. If these values do not match the packet MUST be silently
|
|
|
|
* discarded,
|
|
|
|
*/
|
|
|
|
if (ntohl(chunk->sctp_hdr->vtag) != bear_cookie->my_vtag) {
|
|
|
|
*error = -SCTP_IERROR_BAD_TAG;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2006-11-21 08:09:17 +07:00
|
|
|
if (chunk->sctp_hdr->source != bear_cookie->peer_addr.v4.sin_port ||
|
2005-04-17 05:20:36 +07:00
|
|
|
ntohs(chunk->sctp_hdr->dest) != bear_cookie->my_port) {
|
|
|
|
*error = -SCTP_IERROR_BAD_PORTS;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check to see if the cookie is stale. If there is already
|
|
|
|
* an association, there is no need to check cookie's expiration
|
|
|
|
* for init collision case of lost COOKIE ACK.
|
2006-09-30 07:10:03 +07:00
|
|
|
* If skb has been timestamped, then use the stamp, otherwise
|
|
|
|
* use current time. This introduces a small possibility that
|
|
|
|
* that a cookie may be considered expired, but his would only slow
|
|
|
|
* down the new association establishment instead of every packet.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
2006-09-30 07:10:03 +07:00
|
|
|
if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
|
2013-06-25 23:17:27 +07:00
|
|
|
kt = skb_get_ktime(skb);
|
2006-09-30 07:10:03 +07:00
|
|
|
else
|
2015-12-05 00:14:03 +07:00
|
|
|
kt = ktime_get_real();
|
2006-09-30 07:10:03 +07:00
|
|
|
|
2014-06-11 23:19:28 +07:00
|
|
|
if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
|
2005-04-17 05:20:36 +07:00
|
|
|
/*
|
|
|
|
* Section 3.3.10.3 Stale Cookie Error (3)
|
|
|
|
*
|
|
|
|
* Cause of error
|
|
|
|
* ---------------
|
|
|
|
* Stale Cookie Error: Indicates the receipt of a valid State
|
|
|
|
* Cookie that has expired.
|
|
|
|
*/
|
|
|
|
len = ntohs(chunk->chunk_hdr->length);
|
|
|
|
*errp = sctp_make_op_error_space(asoc, chunk, len);
|
|
|
|
if (*errp) {
|
2013-06-25 23:17:27 +07:00
|
|
|
suseconds_t usecs = ktime_to_us(ktime_sub(kt, bear_cookie->expiration));
|
2006-11-21 08:27:15 +07:00
|
|
|
__be32 n = htonl(usecs);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
sctp_init_cause(*errp, SCTP_ERROR_STALE_COOKIE,
|
2007-08-21 14:50:01 +07:00
|
|
|
sizeof(n));
|
|
|
|
sctp_addto_chunk(*errp, sizeof(n), &n);
|
2005-04-17 05:20:36 +07:00
|
|
|
*error = -SCTP_IERROR_STALE_COOKIE;
|
|
|
|
} else
|
|
|
|
*error = -SCTP_IERROR_NOMEM;
|
|
|
|
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Make a new base association. */
|
|
|
|
scope = sctp_scope(sctp_source(chunk));
|
|
|
|
retval = sctp_association_new(ep, ep->base.sk, scope, gfp);
|
|
|
|
if (!retval) {
|
|
|
|
*error = -SCTP_IERROR_NOMEM;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set up our peer's port number. */
|
|
|
|
retval->peer.port = ntohs(chunk->sctp_hdr->source);
|
|
|
|
|
|
|
|
/* Populate the association from the cookie. */
|
|
|
|
memcpy(&retval->c, bear_cookie, sizeof(*bear_cookie));
|
|
|
|
|
|
|
|
if (sctp_assoc_set_bind_addr_from_cookie(retval, bear_cookie,
|
|
|
|
GFP_ATOMIC) < 0) {
|
|
|
|
*error = -SCTP_IERROR_NOMEM;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Also, add the destination address. */
|
|
|
|
if (list_empty(&retval->base.bind_addr.address_list)) {
|
2007-12-21 05:12:24 +07:00
|
|
|
sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest,
|
2016-03-08 20:34:28 +07:00
|
|
|
sizeof(chunk->dest), SCTP_ADDR_SRC,
|
|
|
|
GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
retval->next_tsn = retval->c.initial_tsn;
|
|
|
|
retval->ctsn_ack_point = retval->next_tsn - 1;
|
|
|
|
retval->addip_serial = retval->c.initial_tsn;
|
|
|
|
retval->adv_peer_ack_point = retval->ctsn_ack_point;
|
|
|
|
retval->peer.prsctp_capable = retval->c.prsctp_capable;
|
2006-12-21 07:07:04 +07:00
|
|
|
retval->peer.adaptation_ind = retval->c.adaptation_ind;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* The INIT stuff will be done by the side effects. */
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
fail:
|
|
|
|
if (retval)
|
|
|
|
sctp_association_free(retval);
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
malformed:
|
|
|
|
/* Yikes! The packet is either corrupt or deliberately
|
|
|
|
* malformed.
|
|
|
|
*/
|
|
|
|
*error = -SCTP_IERROR_MALFORMED;
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/********************************************************************
|
|
|
|
* 3rd Level Abstractions
|
|
|
|
********************************************************************/
|
|
|
|
|
|
|
|
struct __sctp_missing {
|
2006-11-21 08:26:34 +07:00
|
|
|
__be32 num_missing;
|
|
|
|
__be16 type;
|
2010-06-03 17:21:52 +07:00
|
|
|
} __packed;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Report a missing mandatory parameter.
|
|
|
|
*/
|
|
|
|
static int sctp_process_missing_param(const struct sctp_association *asoc,
|
|
|
|
sctp_param_t paramtype,
|
|
|
|
struct sctp_chunk *chunk,
|
|
|
|
struct sctp_chunk **errp)
|
|
|
|
{
|
|
|
|
struct __sctp_missing report;
|
|
|
|
__u16 len;
|
|
|
|
|
2016-09-21 18:45:55 +07:00
|
|
|
len = SCTP_PAD4(sizeof(report));
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Make an ERROR chunk, preparing enough room for
|
|
|
|
* returning multiple unknown parameters.
|
|
|
|
*/
|
|
|
|
if (!*errp)
|
|
|
|
*errp = sctp_make_op_error_space(asoc, chunk, len);
|
|
|
|
|
|
|
|
if (*errp) {
|
|
|
|
report.num_missing = htonl(1);
|
|
|
|
report.type = paramtype;
|
2007-01-16 10:12:31 +07:00
|
|
|
sctp_init_cause(*errp, SCTP_ERROR_MISS_PARAM,
|
2007-08-21 14:50:01 +07:00
|
|
|
sizeof(report));
|
|
|
|
sctp_addto_chunk(*errp, sizeof(report), &report);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Stop processing this chunk. */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Report an Invalid Mandatory Parameter. */
|
|
|
|
static int sctp_process_inv_mandatory(const struct sctp_association *asoc,
|
|
|
|
struct sctp_chunk *chunk,
|
|
|
|
struct sctp_chunk **errp)
|
|
|
|
{
|
|
|
|
/* Invalid Mandatory Parameter Error has no payload. */
|
|
|
|
|
|
|
|
if (!*errp)
|
|
|
|
*errp = sctp_make_op_error_space(asoc, chunk, 0);
|
|
|
|
|
|
|
|
if (*errp)
|
2007-08-21 14:50:01 +07:00
|
|
|
sctp_init_cause(*errp, SCTP_ERROR_INV_PARAM, 0);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Stop processing this chunk. */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int sctp_process_inv_paramlength(const struct sctp_association *asoc,
|
|
|
|
struct sctp_paramhdr *param,
|
|
|
|
const struct sctp_chunk *chunk,
|
|
|
|
struct sctp_chunk **errp)
|
|
|
|
{
|
2007-11-09 23:43:41 +07:00
|
|
|
/* This is a fatal error. Any accumulated non-fatal errors are
|
|
|
|
* not reported.
|
|
|
|
*/
|
|
|
|
if (*errp)
|
|
|
|
sctp_chunk_free(*errp);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Create an error chunk and fill it in with our payload. */
|
2008-09-30 19:32:24 +07:00
|
|
|
*errp = sctp_make_violation_paramlen(asoc, chunk, param);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Do not attempt to handle the HOST_NAME parm. However, do
|
|
|
|
* send back an indicator to the peer.
|
|
|
|
*/
|
|
|
|
static int sctp_process_hn_param(const struct sctp_association *asoc,
|
|
|
|
union sctp_params param,
|
|
|
|
struct sctp_chunk *chunk,
|
|
|
|
struct sctp_chunk **errp)
|
|
|
|
{
|
|
|
|
__u16 len = ntohs(param.p->length);
|
|
|
|
|
2007-11-09 23:43:41 +07:00
|
|
|
/* Processing of the HOST_NAME parameter will generate an
|
|
|
|
* ABORT. If we've accumulated any non-fatal errors, they
|
|
|
|
* would be unrecognized parameters and we should not include
|
|
|
|
* them in the ABORT.
|
|
|
|
*/
|
|
|
|
if (*errp)
|
|
|
|
sctp_chunk_free(*errp);
|
|
|
|
|
|
|
|
*errp = sctp_make_op_error_space(asoc, chunk, len);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-08-21 14:50:01 +07:00
|
|
|
if (*errp) {
|
|
|
|
sctp_init_cause(*errp, SCTP_ERROR_DNS_FAILED, len);
|
|
|
|
sctp_addto_chunk(*errp, len, param.v);
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Stop processing this chunk. */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-08-07 14:29:08 +07:00
|
|
|
static int sctp_verify_ext_param(struct net *net, union sctp_params param)
|
2007-12-21 05:13:31 +07:00
|
|
|
{
|
|
|
|
__u16 num_ext = ntohs(param.p->length) - sizeof(sctp_paramhdr_t);
|
|
|
|
int have_auth = 0;
|
|
|
|
int have_asconf = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < num_ext; i++) {
|
|
|
|
switch (param.ext->chunks[i]) {
|
2013-12-23 11:16:52 +07:00
|
|
|
case SCTP_CID_AUTH:
|
|
|
|
have_auth = 1;
|
|
|
|
break;
|
|
|
|
case SCTP_CID_ASCONF:
|
|
|
|
case SCTP_CID_ASCONF_ACK:
|
|
|
|
have_asconf = 1;
|
|
|
|
break;
|
2007-12-21 05:13:31 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ADD-IP Security: The draft requires us to ABORT or ignore the
|
|
|
|
* INIT/INIT-ACK if ADD-IP is listed, but AUTH is not. Do this
|
|
|
|
* only if ADD-IP is turned on and we are not backward-compatible
|
|
|
|
* mode.
|
|
|
|
*/
|
2012-08-07 14:29:57 +07:00
|
|
|
if (net->sctp.addip_noauth)
|
2007-12-21 05:13:31 +07:00
|
|
|
return 1;
|
|
|
|
|
2012-08-07 14:29:57 +07:00
|
|
|
if (net->sctp.addip_enable && !have_auth && have_asconf)
|
2007-12-21 05:13:31 +07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2007-09-17 05:53:56 +07:00
|
|
|
static void sctp_process_ext_param(struct sctp_association *asoc,
|
|
|
|
union sctp_params param)
|
|
|
|
{
|
2012-08-07 14:29:57 +07:00
|
|
|
struct net *net = sock_net(asoc->base.sk);
|
2007-09-17 05:53:56 +07:00
|
|
|
__u16 num_ext = ntohs(param.p->length) - sizeof(sctp_paramhdr_t);
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < num_ext; i++) {
|
|
|
|
switch (param.ext->chunks[i]) {
|
2013-12-23 11:16:52 +07:00
|
|
|
case SCTP_CID_FWD_TSN:
|
2016-07-09 18:47:40 +07:00
|
|
|
if (asoc->prsctp_enable && !asoc->peer.prsctp_capable)
|
|
|
|
asoc->peer.prsctp_capable = 1;
|
2013-12-23 11:16:52 +07:00
|
|
|
break;
|
|
|
|
case SCTP_CID_AUTH:
|
|
|
|
/* if the peer reports AUTH, assume that he
|
|
|
|
* supports AUTH.
|
|
|
|
*/
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (asoc->ep->auth_enable)
|
2013-12-23 11:16:52 +07:00
|
|
|
asoc->peer.auth_capable = 1;
|
|
|
|
break;
|
|
|
|
case SCTP_CID_ASCONF:
|
|
|
|
case SCTP_CID_ASCONF_ACK:
|
|
|
|
if (net->sctp.addip_enable)
|
|
|
|
asoc->peer.asconf_capable = 1;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
2007-09-17 05:53:56 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* RFC 3.2.1 & the Implementers Guide 2.2.
|
|
|
|
*
|
|
|
|
* The Parameter Types are encoded such that the
|
|
|
|
* highest-order two bits specify the action that must be
|
|
|
|
* taken if the processing endpoint does not recognize the
|
|
|
|
* Parameter Type.
|
|
|
|
*
|
2007-11-09 23:43:41 +07:00
|
|
|
* 00 - Stop processing this parameter; do not process any further
|
|
|
|
* parameters within this chunk
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
2007-11-09 23:43:41 +07:00
|
|
|
* 01 - Stop processing this parameter, do not process any further
|
|
|
|
* parameters within this chunk, and report the unrecognized
|
|
|
|
* parameter in an 'Unrecognized Parameter' ERROR chunk.
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
|
|
|
* 10 - Skip this parameter and continue processing.
|
|
|
|
*
|
|
|
|
* 11 - Skip this parameter and continue processing but
|
|
|
|
* report the unrecognized parameter in an
|
2007-11-09 23:43:41 +07:00
|
|
|
* 'Unrecognized Parameter' ERROR chunk.
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
|
|
|
* Return value:
|
2007-11-09 23:43:41 +07:00
|
|
|
* SCTP_IERROR_NO_ERROR - continue with the chunk
|
|
|
|
* SCTP_IERROR_ERROR - stop and report an error.
|
|
|
|
* SCTP_IERROR_NOMEME - out of memory.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
2007-11-09 23:43:41 +07:00
|
|
|
static sctp_ierror_t sctp_process_unk_param(const struct sctp_association *asoc,
|
|
|
|
union sctp_params param,
|
|
|
|
struct sctp_chunk *chunk,
|
|
|
|
struct sctp_chunk **errp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2007-11-09 23:43:41 +07:00
|
|
|
int retval = SCTP_IERROR_NO_ERROR;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
switch (param.p->type & SCTP_PARAM_ACTION_MASK) {
|
|
|
|
case SCTP_PARAM_ACTION_DISCARD:
|
2007-11-09 23:43:41 +07:00
|
|
|
retval = SCTP_IERROR_ERROR;
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
case SCTP_PARAM_ACTION_SKIP:
|
|
|
|
break;
|
2007-11-09 23:43:41 +07:00
|
|
|
case SCTP_PARAM_ACTION_DISCARD_ERR:
|
|
|
|
retval = SCTP_IERROR_ERROR;
|
|
|
|
/* Fall through */
|
2005-04-17 05:20:36 +07:00
|
|
|
case SCTP_PARAM_ACTION_SKIP_ERR:
|
|
|
|
/* Make an ERROR chunk, preparing enough room for
|
|
|
|
* returning multiple unknown parameters.
|
|
|
|
*/
|
|
|
|
if (NULL == *errp)
|
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-28 17:30:59 +07:00
|
|
|
*errp = sctp_make_op_error_fixed(asoc, chunk);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (*errp) {
|
2011-02-17 20:12:08 +07:00
|
|
|
if (!sctp_init_cause_fixed(*errp, SCTP_ERROR_UNKNOWN_PARAM,
|
2016-09-21 18:45:55 +07:00
|
|
|
SCTP_PAD4(ntohs(param.p->length))))
|
2011-02-17 20:12:08 +07:00
|
|
|
sctp_addto_chunk_fixed(*errp,
|
2016-09-21 18:45:55 +07:00
|
|
|
SCTP_PAD4(ntohs(param.p->length)),
|
2011-02-17 20:12:08 +07:00
|
|
|
param.v);
|
2005-04-17 05:20:36 +07:00
|
|
|
} else {
|
|
|
|
/* If there is no memory for generating the ERROR
|
|
|
|
* report as specified, an ABORT will be triggered
|
|
|
|
* to the peer and the association won't be
|
|
|
|
* established.
|
|
|
|
*/
|
2007-11-09 23:43:41 +07:00
|
|
|
retval = SCTP_IERROR_NOMEM;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2007-11-09 23:43:41 +07:00
|
|
|
/* Verify variable length parameters
|
2005-04-17 05:20:36 +07:00
|
|
|
* Return values:
|
2007-11-09 23:43:41 +07:00
|
|
|
* SCTP_IERROR_ABORT - trigger an ABORT
|
|
|
|
* SCTP_IERROR_NOMEM - out of memory (abort)
|
|
|
|
* SCTP_IERROR_ERROR - stop processing, trigger an ERROR
|
|
|
|
* SCTP_IERROR_NO_ERROR - continue with the chunk
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
2012-08-07 14:29:08 +07:00
|
|
|
static sctp_ierror_t sctp_verify_param(struct net *net,
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
const struct sctp_endpoint *ep,
|
2012-08-07 14:29:08 +07:00
|
|
|
const struct sctp_association *asoc,
|
2007-11-09 23:43:41 +07:00
|
|
|
union sctp_params param,
|
|
|
|
sctp_cid_t cid,
|
|
|
|
struct sctp_chunk *chunk,
|
|
|
|
struct sctp_chunk **err_chunk)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2008-04-13 08:39:19 +07:00
|
|
|
struct sctp_hmac_algo_param *hmacs;
|
2007-11-09 23:43:41 +07:00
|
|
|
int retval = SCTP_IERROR_NO_ERROR;
|
2008-04-13 08:39:19 +07:00
|
|
|
__u16 n_elt, id = 0;
|
|
|
|
int i;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* FIXME - This routine is not looking at each parameter per the
|
|
|
|
* chunk type, i.e., unrecognized parameters should be further
|
|
|
|
* identified based on the chunk id.
|
|
|
|
*/
|
|
|
|
|
|
|
|
switch (param.p->type) {
|
|
|
|
case SCTP_PARAM_IPV4_ADDRESS:
|
|
|
|
case SCTP_PARAM_IPV6_ADDRESS:
|
|
|
|
case SCTP_PARAM_COOKIE_PRESERVATIVE:
|
|
|
|
case SCTP_PARAM_SUPPORTED_ADDRESS_TYPES:
|
|
|
|
case SCTP_PARAM_STATE_COOKIE:
|
|
|
|
case SCTP_PARAM_HEARTBEAT_INFO:
|
|
|
|
case SCTP_PARAM_UNRECOGNIZED_PARAMETERS:
|
|
|
|
case SCTP_PARAM_ECN_CAPABLE:
|
2006-12-21 07:07:04 +07:00
|
|
|
case SCTP_PARAM_ADAPTATION_LAYER_IND:
|
2007-12-21 05:13:31 +07:00
|
|
|
break;
|
|
|
|
|
2007-09-17 05:53:56 +07:00
|
|
|
case SCTP_PARAM_SUPPORTED_EXT:
|
2012-08-07 14:29:08 +07:00
|
|
|
if (!sctp_verify_ext_param(net, param))
|
2007-12-21 05:13:31 +07:00
|
|
|
return SCTP_IERROR_ABORT;
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
2007-12-21 05:10:00 +07:00
|
|
|
case SCTP_PARAM_SET_PRIMARY:
|
2012-08-07 14:29:57 +07:00
|
|
|
if (net->sctp.addip_enable)
|
2007-12-21 05:10:00 +07:00
|
|
|
break;
|
|
|
|
goto fallthrough;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
case SCTP_PARAM_HOST_NAME_ADDRESS:
|
|
|
|
/* Tell the peer, we won't support this param. */
|
2007-11-09 23:43:41 +07:00
|
|
|
sctp_process_hn_param(asoc, param, chunk, err_chunk);
|
|
|
|
retval = SCTP_IERROR_ABORT;
|
|
|
|
break;
|
2007-09-17 05:53:56 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
case SCTP_PARAM_FWD_TSN_SUPPORT:
|
2016-07-09 18:47:40 +07:00
|
|
|
if (ep->prsctp_enable)
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fallthrough;
|
|
|
|
|
|
|
|
case SCTP_PARAM_RANDOM:
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (!ep->auth_enable)
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fallthrough;
|
|
|
|
|
|
|
|
/* SCTP-AUTH: Secion 6.1
|
|
|
|
* If the random number is not 32 byte long the association
|
|
|
|
* MUST be aborted. The ABORT chunk SHOULD contain the error
|
|
|
|
* cause 'Protocol Violation'.
|
|
|
|
*/
|
|
|
|
if (SCTP_AUTH_RANDOM_LENGTH !=
|
2007-11-09 23:43:41 +07:00
|
|
|
ntohs(param.p->length) - sizeof(sctp_paramhdr_t)) {
|
|
|
|
sctp_process_inv_paramlength(asoc, param.p,
|
2007-09-17 09:32:11 +07:00
|
|
|
chunk, err_chunk);
|
2007-11-09 23:43:41 +07:00
|
|
|
retval = SCTP_IERROR_ABORT;
|
|
|
|
}
|
2007-09-17 09:32:11 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_CHUNKS:
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (!ep->auth_enable)
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fallthrough;
|
|
|
|
|
|
|
|
/* SCTP-AUTH: Section 3.2
|
|
|
|
* The CHUNKS parameter MUST be included once in the INIT or
|
|
|
|
* INIT-ACK chunk if the sender wants to receive authenticated
|
|
|
|
* chunks. Its maximum length is 260 bytes.
|
|
|
|
*/
|
2007-11-09 23:43:41 +07:00
|
|
|
if (260 < ntohs(param.p->length)) {
|
|
|
|
sctp_process_inv_paramlength(asoc, param.p,
|
|
|
|
chunk, err_chunk);
|
|
|
|
retval = SCTP_IERROR_ABORT;
|
|
|
|
}
|
2007-09-17 09:32:11 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_HMAC_ALGO:
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (!ep->auth_enable)
|
2008-04-13 08:39:19 +07:00
|
|
|
goto fallthrough;
|
|
|
|
|
|
|
|
hmacs = (struct sctp_hmac_algo_param *)param.p;
|
|
|
|
n_elt = (ntohs(param.p->length) - sizeof(sctp_paramhdr_t)) >> 1;
|
|
|
|
|
|
|
|
/* SCTP-AUTH: Section 6.1
|
|
|
|
* The HMAC algorithm based on SHA-1 MUST be supported and
|
|
|
|
* included in the HMAC-ALGO parameter.
|
|
|
|
*/
|
|
|
|
for (i = 0; i < n_elt; i++) {
|
|
|
|
id = ntohs(hmacs->hmac_ids[i]);
|
|
|
|
|
|
|
|
if (id == SCTP_AUTH_HMAC_ID_SHA1)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (id != SCTP_AUTH_HMAC_ID_SHA1) {
|
|
|
|
sctp_process_inv_paramlength(asoc, param.p, chunk,
|
|
|
|
err_chunk);
|
|
|
|
retval = SCTP_IERROR_ABORT;
|
|
|
|
}
|
|
|
|
break;
|
2007-09-17 09:32:11 +07:00
|
|
|
fallthrough:
|
2005-04-17 05:20:36 +07:00
|
|
|
default:
|
net: sctp: rework debugging framework to use pr_debug and friends
We should get rid of all own SCTP debug printk macros and use the ones
that the kernel offers anyway instead. This makes the code more readable
and conform to the kernel code, and offers all the features of dynamic
debbuging that pr_debug() et al has, such as only turning on/off portions
of debug messages at runtime through debugfs. The runtime cost of having
CONFIG_DYNAMIC_DEBUG enabled, but none of the debug statements printing,
is negligible [1]. If kernel debugging is completly turned off, then these
statements will also compile into "empty" functions.
While we're at it, we also need to change the Kconfig option as it /now/
only refers to the ifdef'ed code portions in outqueue.c that enable further
debugging/tracing of SCTP transaction fields. Also, since SCTP_ASSERT code
was enabled with this Kconfig option and has now been removed, we
transform those code parts into WARNs resp. where appropriate BUG_ONs so
that those bugs can be more easily detected as probably not many people
have SCTP debugging permanently turned on.
To turn on all SCTP debugging, the following steps are needed:
# mount -t debugfs none /sys/kernel/debug
# echo -n 'module sctp +p' > /sys/kernel/debug/dynamic_debug/control
This can be done more fine-grained on a per file, per line basis and others
as described in [2].
[1] https://www.kernel.org/doc/ols/2009/ols2009-pages-39-46.pdf
[2] Documentation/dynamic-debug-howto.txt
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-29 00:49:40 +07:00
|
|
|
pr_debug("%s: unrecognized param:%d for chunk:%d\n",
|
|
|
|
__func__, ntohs(param.p->type), cid);
|
|
|
|
|
2007-11-09 23:43:41 +07:00
|
|
|
retval = sctp_process_unk_param(asoc, param, chunk, err_chunk);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify the INIT packet before we process it. */
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
int sctp_verify_init(struct net *net, const struct sctp_endpoint *ep,
|
|
|
|
const struct sctp_association *asoc, sctp_cid_t cid,
|
|
|
|
sctp_init_chunk_t *peer_init, struct sctp_chunk *chunk,
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_chunk **errp)
|
|
|
|
{
|
|
|
|
union sctp_params param;
|
2013-08-27 21:53:52 +07:00
|
|
|
bool has_cookie = false;
|
2007-11-09 23:43:41 +07:00
|
|
|
int result;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2013-08-27 21:53:52 +07:00
|
|
|
/* Check for missing mandatory parameters. Note: Initial TSN is
|
|
|
|
* also mandatory, but is not checked here since the valid range
|
|
|
|
* is 0..2**32-1. RFC4960, section 3.3.3.
|
|
|
|
*/
|
|
|
|
if (peer_init->init_hdr.num_outbound_streams == 0 ||
|
|
|
|
peer_init->init_hdr.num_inbound_streams == 0 ||
|
|
|
|
peer_init->init_hdr.init_tag == 0 ||
|
|
|
|
ntohl(peer_init->init_hdr.a_rwnd) < SCTP_DEFAULT_MINWINDOW)
|
2007-11-09 23:43:41 +07:00
|
|
|
return sctp_process_inv_mandatory(asoc, chunk, errp);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
sctp_walk_params(param, peer_init, init_hdr.params) {
|
2013-08-27 21:53:52 +07:00
|
|
|
if (param.p->type == SCTP_PARAM_STATE_COOKIE)
|
|
|
|
has_cookie = true;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* There is a possibility that a parameter length was bad and
|
|
|
|
* in that case we would have stoped walking the parameters.
|
|
|
|
* The current param.p would point at the bad one.
|
|
|
|
* Current consensus on the mailing list is to generate a PROTOCOL
|
|
|
|
* VIOLATION error. We build the ERROR chunk here and let the normal
|
|
|
|
* error handling code build and send the packet.
|
|
|
|
*/
|
2013-12-23 11:16:51 +07:00
|
|
|
if (param.v != (void *)chunk->chunk_end)
|
2007-11-09 23:43:41 +07:00
|
|
|
return sctp_process_inv_paramlength(asoc, param.p, chunk, errp);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* The only missing mandatory param possible today is
|
|
|
|
* the state cookie for an INIT-ACK chunk.
|
|
|
|
*/
|
2007-11-09 23:43:41 +07:00
|
|
|
if ((SCTP_CID_INIT_ACK == cid) && !has_cookie)
|
|
|
|
return sctp_process_missing_param(asoc, SCTP_PARAM_STATE_COOKIE,
|
|
|
|
chunk, errp);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-11-09 23:43:41 +07:00
|
|
|
/* Verify all the variable length parameters */
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_walk_params(param, peer_init, init_hdr.params) {
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
result = sctp_verify_param(net, ep, asoc, param, cid,
|
|
|
|
chunk, errp);
|
2007-11-09 23:43:41 +07:00
|
|
|
switch (result) {
|
2013-12-23 11:16:52 +07:00
|
|
|
case SCTP_IERROR_ABORT:
|
|
|
|
case SCTP_IERROR_NOMEM:
|
|
|
|
return 0;
|
|
|
|
case SCTP_IERROR_ERROR:
|
|
|
|
return 1;
|
|
|
|
case SCTP_IERROR_NO_ERROR:
|
|
|
|
default:
|
|
|
|
break;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
} /* for (loop through all parameters) */
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Unpack the parameters in an INIT packet into an association.
|
|
|
|
* Returns 0 on failure, else success.
|
|
|
|
* FIXME: This is an association method.
|
|
|
|
*/
|
2011-04-20 04:30:51 +07:00
|
|
|
int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
|
2005-04-17 05:20:36 +07:00
|
|
|
const union sctp_addr *peer_addr,
|
2005-10-07 13:46:04 +07:00
|
|
|
sctp_init_chunk_t *peer_init, gfp_t gfp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-08-07 14:29:57 +07:00
|
|
|
struct net *net = sock_net(asoc->base.sk);
|
2005-04-17 05:20:36 +07:00
|
|
|
union sctp_params param;
|
|
|
|
struct sctp_transport *transport;
|
|
|
|
struct list_head *pos, *temp;
|
2011-04-20 04:30:51 +07:00
|
|
|
struct sctp_af *af;
|
|
|
|
union sctp_addr addr;
|
2005-04-17 05:20:36 +07:00
|
|
|
char *cookie;
|
2011-04-20 04:30:51 +07:00
|
|
|
int src_match = 0;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* We must include the address that the INIT packet came from.
|
|
|
|
* This is the only address that matters for an INIT packet.
|
|
|
|
* When processing a COOKIE ECHO, we retrieve the from address
|
|
|
|
* of the INIT from the cookie.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* This implementation defaults to making the first transport
|
|
|
|
* added as the primary transport. The source address seems to
|
|
|
|
* be a a better choice than any of the embedded addresses.
|
|
|
|
*/
|
2013-12-23 11:16:50 +07:00
|
|
|
if (!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
|
2011-04-20 04:30:51 +07:00
|
|
|
goto nomem;
|
|
|
|
|
|
|
|
if (sctp_cmp_addr_exact(sctp_source(chunk), peer_addr))
|
|
|
|
src_match = 1;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Process the initialization parameters. */
|
|
|
|
sctp_walk_params(param, peer_init, init_hdr.params) {
|
2011-04-20 04:30:51 +07:00
|
|
|
if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
|
|
|
|
param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
|
|
|
|
af = sctp_get_af_specific(param_type2af(param.p->type));
|
|
|
|
af->from_addr_param(&addr, param.addr,
|
|
|
|
chunk->sctp_hdr->source, 0);
|
|
|
|
if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
|
|
|
|
src_match = 1;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (!sctp_process_param(asoc, param, peer_addr, gfp))
|
2007-02-09 21:25:18 +07:00
|
|
|
goto clean_up;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2011-04-20 04:30:51 +07:00
|
|
|
/* source address of chunk may not match any valid address */
|
|
|
|
if (!src_match)
|
|
|
|
goto clean_up;
|
|
|
|
|
2007-09-17 09:32:11 +07:00
|
|
|
/* AUTH: After processing the parameters, make sure that we
|
|
|
|
* have all the required info to potentially do authentications.
|
|
|
|
*/
|
|
|
|
if (asoc->peer.auth_capable && (!asoc->peer.peer_random ||
|
|
|
|
!asoc->peer.peer_hmacs))
|
|
|
|
asoc->peer.auth_capable = 0;
|
|
|
|
|
2007-12-21 05:13:31 +07:00
|
|
|
/* In a non-backward compatible mode, if the peer claims
|
|
|
|
* support for ADD-IP but not AUTH, the ADD-IP spec states
|
|
|
|
* that we MUST ABORT the association. Section 6. The section
|
|
|
|
* also give us an option to silently ignore the packet, which
|
|
|
|
* is what we'll do here.
|
2007-09-17 09:35:39 +07:00
|
|
|
*/
|
2012-08-07 14:29:57 +07:00
|
|
|
if (!net->sctp.addip_noauth &&
|
2007-10-25 04:24:26 +07:00
|
|
|
(asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
|
2007-09-17 09:35:39 +07:00
|
|
|
asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |
|
|
|
|
SCTP_PARAM_DEL_IP |
|
|
|
|
SCTP_PARAM_SET_PRIMARY);
|
2007-10-25 04:24:23 +07:00
|
|
|
asoc->peer.asconf_capable = 0;
|
2007-12-21 05:13:31 +07:00
|
|
|
goto clean_up;
|
2007-09-17 09:35:39 +07:00
|
|
|
}
|
|
|
|
|
2005-06-21 03:14:57 +07:00
|
|
|
/* Walk list of transports, removing transports in the UNKNOWN state. */
|
|
|
|
list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
|
|
|
|
transport = list_entry(pos, struct sctp_transport, transports);
|
|
|
|
if (transport->state == SCTP_UNKNOWN) {
|
|
|
|
sctp_assoc_rm_peer(asoc, transport);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* The fixed INIT headers are always in network byte
|
|
|
|
* order.
|
|
|
|
*/
|
|
|
|
asoc->peer.i.init_tag =
|
|
|
|
ntohl(peer_init->init_hdr.init_tag);
|
|
|
|
asoc->peer.i.a_rwnd =
|
|
|
|
ntohl(peer_init->init_hdr.a_rwnd);
|
|
|
|
asoc->peer.i.num_outbound_streams =
|
|
|
|
ntohs(peer_init->init_hdr.num_outbound_streams);
|
|
|
|
asoc->peer.i.num_inbound_streams =
|
|
|
|
ntohs(peer_init->init_hdr.num_inbound_streams);
|
|
|
|
asoc->peer.i.initial_tsn =
|
|
|
|
ntohl(peer_init->init_hdr.initial_tsn);
|
|
|
|
|
|
|
|
/* Apply the upper bounds for output streams based on peer's
|
|
|
|
* number of inbound streams.
|
|
|
|
*/
|
|
|
|
if (asoc->c.sinit_num_ostreams >
|
|
|
|
ntohs(peer_init->init_hdr.num_inbound_streams)) {
|
|
|
|
asoc->c.sinit_num_ostreams =
|
|
|
|
ntohs(peer_init->init_hdr.num_inbound_streams);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (asoc->c.sinit_max_instreams >
|
|
|
|
ntohs(peer_init->init_hdr.num_outbound_streams)) {
|
|
|
|
asoc->c.sinit_max_instreams =
|
|
|
|
ntohs(peer_init->init_hdr.num_outbound_streams);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Copy Initiation tag from INIT to VT_peer in cookie. */
|
|
|
|
asoc->c.peer_vtag = asoc->peer.i.init_tag;
|
|
|
|
|
|
|
|
/* Peer Rwnd : Current calculated value of the peer's rwnd. */
|
|
|
|
asoc->peer.rwnd = asoc->peer.i.a_rwnd;
|
|
|
|
|
|
|
|
/* Copy cookie in case we need to resend COOKIE-ECHO. */
|
|
|
|
cookie = asoc->peer.cookie;
|
|
|
|
if (cookie) {
|
2006-11-21 10:20:33 +07:00
|
|
|
asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!asoc->peer.cookie)
|
|
|
|
goto clean_up;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
|
|
|
|
* high (for example, implementations MAY use the size of the receiver
|
|
|
|
* advertised window).
|
|
|
|
*/
|
2008-04-13 08:54:24 +07:00
|
|
|
list_for_each_entry(transport, &asoc->peer.transport_addr_list,
|
|
|
|
transports) {
|
2005-04-17 05:20:36 +07:00
|
|
|
transport->ssthresh = asoc->peer.i.a_rwnd;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set up the TSN tracking pieces. */
|
2008-10-09 04:18:39 +07:00
|
|
|
if (!sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
|
|
|
|
asoc->peer.i.initial_tsn, gfp))
|
|
|
|
goto clean_up;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* RFC 2960 6.5 Stream Identifier and Stream Sequence Number
|
|
|
|
*
|
|
|
|
* The stream sequence number in all the streams shall start
|
|
|
|
* from 0 when the association is established. Also, when the
|
|
|
|
* stream sequence number reaches the value 65535 the next
|
|
|
|
* stream sequence number shall be set to 0.
|
|
|
|
*/
|
|
|
|
|
2005-06-21 03:14:57 +07:00
|
|
|
/* Allocate storage for the negotiated streams if it is not a temporary
|
2007-02-09 21:25:18 +07:00
|
|
|
* association.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
if (!asoc->temp) {
|
|
|
|
int error;
|
|
|
|
|
|
|
|
asoc->ssnmap = sctp_ssnmap_new(asoc->c.sinit_max_instreams,
|
|
|
|
asoc->c.sinit_num_ostreams, gfp);
|
|
|
|
if (!asoc->ssnmap)
|
|
|
|
goto clean_up;
|
|
|
|
|
2007-05-05 03:55:27 +07:00
|
|
|
error = sctp_assoc_set_id(asoc, gfp);
|
|
|
|
if (error)
|
2005-04-17 05:20:36 +07:00
|
|
|
goto clean_up;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ADDIP Section 4.1 ASCONF Chunk Procedures
|
|
|
|
*
|
|
|
|
* When an endpoint has an ASCONF signaled change to be sent to the
|
|
|
|
* remote endpoint it should do the following:
|
|
|
|
* ...
|
|
|
|
* A2) A serial number should be assigned to the Chunk. The serial
|
|
|
|
* number should be a monotonically increasing number. All serial
|
|
|
|
* numbers are defined to be initialized at the start of the
|
|
|
|
* association to the same value as the Initial TSN.
|
|
|
|
*/
|
|
|
|
asoc->peer.addip_serial = asoc->peer.i.initial_tsn - 1;
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
clean_up:
|
|
|
|
/* Release the transport structures. */
|
|
|
|
list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
|
|
|
|
transport = list_entry(pos, struct sctp_transport, transports);
|
2008-09-19 06:28:27 +07:00
|
|
|
if (transport->state != SCTP_ACTIVE)
|
|
|
|
sctp_assoc_rm_peer(asoc, transport);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
2005-06-21 03:14:57 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
nomem:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Update asoc with the option described in param.
|
|
|
|
*
|
|
|
|
* RFC2960 3.3.2.1 Optional/Variable Length Parameters in INIT
|
|
|
|
*
|
|
|
|
* asoc is the association to update.
|
|
|
|
* param is the variable length parameter to use for update.
|
|
|
|
* cid tells us if this is an INIT, INIT ACK or COOKIE ECHO.
|
|
|
|
* If the current packet is an INIT we want to minimize the amount of
|
|
|
|
* work we do. In particular, we should not build transport
|
|
|
|
* structures for the addresses.
|
|
|
|
*/
|
|
|
|
static int sctp_process_param(struct sctp_association *asoc,
|
|
|
|
union sctp_params param,
|
|
|
|
const union sctp_addr *peer_addr,
|
2005-10-07 13:46:04 +07:00
|
|
|
gfp_t gfp)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-08-07 14:27:02 +07:00
|
|
|
struct net *net = sock_net(asoc->base.sk);
|
2005-04-17 05:20:36 +07:00
|
|
|
union sctp_addr addr;
|
|
|
|
int i;
|
|
|
|
__u16 sat;
|
|
|
|
int retval = 1;
|
|
|
|
sctp_scope_t scope;
|
2015-09-30 18:26:40 +07:00
|
|
|
u32 stale;
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_af *af;
|
2007-12-21 05:10:00 +07:00
|
|
|
union sctp_addr_param *addr_param;
|
|
|
|
struct sctp_transport *t;
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
struct sctp_endpoint *ep = asoc->ep;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* We maintain all INIT parameters in network byte order all the
|
|
|
|
* time. This allows us to not worry about whether the parameters
|
|
|
|
* came from a fresh INIT, and INIT ACK, or were stored in a cookie.
|
|
|
|
*/
|
|
|
|
switch (param.p->type) {
|
|
|
|
case SCTP_PARAM_IPV6_ADDRESS:
|
|
|
|
if (PF_INET6 != asoc->base.sk->sk_family)
|
|
|
|
break;
|
2008-07-19 13:05:40 +07:00
|
|
|
goto do_addr_param;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
case SCTP_PARAM_IPV4_ADDRESS:
|
2008-07-19 13:05:40 +07:00
|
|
|
/* v4 addresses are not allowed on v6-only socket */
|
|
|
|
if (ipv6_only_sock(asoc->base.sk))
|
|
|
|
break;
|
|
|
|
do_addr_param:
|
2005-04-17 05:20:36 +07:00
|
|
|
af = sctp_get_af_specific(param_type2af(param.p->type));
|
2006-11-21 08:11:13 +07:00
|
|
|
af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0);
|
2005-04-17 05:20:36 +07:00
|
|
|
scope = sctp_scope(peer_addr);
|
2012-08-07 14:27:02 +07:00
|
|
|
if (sctp_in_scope(net, &addr, scope))
|
2006-11-21 08:11:13 +07:00
|
|
|
if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED))
|
2005-04-17 05:20:36 +07:00
|
|
|
return 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_COOKIE_PRESERVATIVE:
|
2012-08-07 14:29:57 +07:00
|
|
|
if (!net->sctp.cookie_preserve_enable)
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
stale = ntohl(param.life->lifespan_increment);
|
|
|
|
|
|
|
|
/* Suggested Cookie Life span increment's unit is msec,
|
|
|
|
* (1/1000sec).
|
|
|
|
*/
|
2013-06-25 23:17:27 +07:00
|
|
|
asoc->cookie_life = ktime_add_ms(asoc->cookie_life, stale);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_HOST_NAME_ADDRESS:
|
net: sctp: rework debugging framework to use pr_debug and friends
We should get rid of all own SCTP debug printk macros and use the ones
that the kernel offers anyway instead. This makes the code more readable
and conform to the kernel code, and offers all the features of dynamic
debbuging that pr_debug() et al has, such as only turning on/off portions
of debug messages at runtime through debugfs. The runtime cost of having
CONFIG_DYNAMIC_DEBUG enabled, but none of the debug statements printing,
is negligible [1]. If kernel debugging is completly turned off, then these
statements will also compile into "empty" functions.
While we're at it, we also need to change the Kconfig option as it /now/
only refers to the ifdef'ed code portions in outqueue.c that enable further
debugging/tracing of SCTP transaction fields. Also, since SCTP_ASSERT code
was enabled with this Kconfig option and has now been removed, we
transform those code parts into WARNs resp. where appropriate BUG_ONs so
that those bugs can be more easily detected as probably not many people
have SCTP debugging permanently turned on.
To turn on all SCTP debugging, the following steps are needed:
# mount -t debugfs none /sys/kernel/debug
# echo -n 'module sctp +p' > /sys/kernel/debug/dynamic_debug/control
This can be done more fine-grained on a per file, per line basis and others
as described in [2].
[1] https://www.kernel.org/doc/ols/2009/ols2009-pages-39-46.pdf
[2] Documentation/dynamic-debug-howto.txt
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-29 00:49:40 +07:00
|
|
|
pr_debug("%s: unimplemented SCTP_HOST_NAME_ADDRESS\n", __func__);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_SUPPORTED_ADDRESS_TYPES:
|
|
|
|
/* Turn off the default values first so we'll know which
|
|
|
|
* ones are really set by the peer.
|
|
|
|
*/
|
|
|
|
asoc->peer.ipv4_address = 0;
|
|
|
|
asoc->peer.ipv6_address = 0;
|
|
|
|
|
2008-03-06 04:43:32 +07:00
|
|
|
/* Assume that peer supports the address family
|
|
|
|
* by which it sends a packet.
|
|
|
|
*/
|
|
|
|
if (peer_addr->sa.sa_family == AF_INET6)
|
|
|
|
asoc->peer.ipv6_address = 1;
|
|
|
|
else if (peer_addr->sa.sa_family == AF_INET)
|
|
|
|
asoc->peer.ipv4_address = 1;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Cycle through address types; avoid divide by 0. */
|
|
|
|
sat = ntohs(param.p->length) - sizeof(sctp_paramhdr_t);
|
|
|
|
if (sat)
|
|
|
|
sat /= sizeof(__u16);
|
|
|
|
|
|
|
|
for (i = 0; i < sat; ++i) {
|
|
|
|
switch (param.sat->types[i]) {
|
|
|
|
case SCTP_PARAM_IPV4_ADDRESS:
|
|
|
|
asoc->peer.ipv4_address = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_IPV6_ADDRESS:
|
2008-05-10 05:11:17 +07:00
|
|
|
if (PF_INET6 == asoc->base.sk->sk_family)
|
|
|
|
asoc->peer.ipv6_address = 1;
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_HOST_NAME_ADDRESS:
|
|
|
|
asoc->peer.hostname_address = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default: /* Just ignore anything else. */
|
|
|
|
break;
|
2007-04-21 07:09:22 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_STATE_COOKIE:
|
|
|
|
asoc->peer.cookie_len =
|
|
|
|
ntohs(param.p->length) - sizeof(sctp_paramhdr_t);
|
|
|
|
asoc->peer.cookie = param.cookie->body;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_HEARTBEAT_INFO:
|
|
|
|
/* Would be odd to receive, but it causes no problems. */
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_UNRECOGNIZED_PARAMETERS:
|
|
|
|
/* Rejected during verify stage. */
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_ECN_CAPABLE:
|
|
|
|
asoc->peer.ecn_capable = 1;
|
|
|
|
break;
|
|
|
|
|
2006-12-21 07:07:04 +07:00
|
|
|
case SCTP_PARAM_ADAPTATION_LAYER_IND:
|
2008-09-16 03:29:49 +07:00
|
|
|
asoc->peer.adaptation_ind = ntohl(param.aind->adaptation_ind);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
2007-12-21 05:10:00 +07:00
|
|
|
case SCTP_PARAM_SET_PRIMARY:
|
2012-08-07 14:29:57 +07:00
|
|
|
if (!net->sctp.addip_enable)
|
2008-09-19 06:27:38 +07:00
|
|
|
goto fall_through;
|
|
|
|
|
2007-12-21 05:10:00 +07:00
|
|
|
addr_param = param.v + sizeof(sctp_addip_param_t);
|
|
|
|
|
net: sctp: fix passing wrong parameter header to param_type2af in sctp_process_param
When making use of RFC5061, section 4.2.4. for setting the primary IP
address, we're passing a wrong parameter header to param_type2af(),
resulting always in NULL being returned.
At this point, param.p points to a sctp_addip_param struct, containing
a sctp_paramhdr (type = 0xc004, length = var), and crr_id as a correlation
id. Followed by that, as also presented in RFC5061 section 4.2.4., comes
the actual sctp_addr_param, which also contains a sctp_paramhdr, but
this time with the correct type SCTP_PARAM_IPV{4,6}_ADDRESS that
param_type2af() can make use of. Since we already hold a pointer to
addr_param from previous line, just reuse it for param_type2af().
Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
Signed-off-by: Saran Maruti Ramanara <saran.neti@telus.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-29 17:05:58 +07:00
|
|
|
af = sctp_get_af_specific(param_type2af(addr_param->p.type));
|
2014-11-10 23:54:26 +07:00
|
|
|
if (af == NULL)
|
|
|
|
break;
|
|
|
|
|
2007-12-21 05:10:00 +07:00
|
|
|
af->from_addr_param(&addr, addr_param,
|
|
|
|
htons(asoc->peer.port), 0);
|
|
|
|
|
|
|
|
/* if the address is invalid, we can't process it.
|
|
|
|
* XXX: see spec for what to do.
|
|
|
|
*/
|
|
|
|
if (!af->addr_valid(&addr, NULL, NULL))
|
|
|
|
break;
|
|
|
|
|
|
|
|
t = sctp_assoc_lookup_paddr(asoc, &addr);
|
|
|
|
if (!t)
|
|
|
|
break;
|
|
|
|
|
|
|
|
sctp_assoc_set_primary(asoc, t);
|
|
|
|
break;
|
|
|
|
|
2007-09-17 05:53:56 +07:00
|
|
|
case SCTP_PARAM_SUPPORTED_EXT:
|
|
|
|
sctp_process_ext_param(asoc, param);
|
|
|
|
break;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
case SCTP_PARAM_FWD_TSN_SUPPORT:
|
2016-07-09 18:47:40 +07:00
|
|
|
if (asoc->prsctp_enable) {
|
2005-04-17 05:20:36 +07:00
|
|
|
asoc->peer.prsctp_capable = 1;
|
|
|
|
break;
|
|
|
|
}
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Fall Through */
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fall_through;
|
|
|
|
|
|
|
|
case SCTP_PARAM_RANDOM:
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (!ep->auth_enable)
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fall_through;
|
|
|
|
|
|
|
|
/* Save peer's random parameter */
|
|
|
|
asoc->peer.peer_random = kmemdup(param.p,
|
|
|
|
ntohs(param.p->length), gfp);
|
|
|
|
if (!asoc->peer.peer_random) {
|
|
|
|
retval = 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_HMAC_ALGO:
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (!ep->auth_enable)
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fall_through;
|
|
|
|
|
|
|
|
/* Save peer's HMAC list */
|
|
|
|
asoc->peer.peer_hmacs = kmemdup(param.p,
|
|
|
|
ntohs(param.p->length), gfp);
|
|
|
|
if (!asoc->peer.peer_hmacs) {
|
|
|
|
retval = 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Set the default HMAC the peer requested*/
|
|
|
|
sctp_auth_asoc_set_default_hmac(asoc, param.hmac_algo);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_PARAM_CHUNKS:
|
net: sctp: cache auth_enable per endpoint
Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
[<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
[<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
[<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
[<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
[<ffffffff8043af68>] sctp_rcv+0x588/0x630
[<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
[<ffffffff803acb50>] ip6_input+0x2c0/0x440
[<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
[<ffffffff80310650>] process_backlog+0xb4/0x18c
[<ffffffff80313cbc>] net_rx_action+0x12c/0x210
[<ffffffff80034254>] __do_softirq+0x17c/0x2ac
[<ffffffff800345e0>] irq_exit+0x54/0xb0
[<ffffffff800075a4>] ret_from_irq+0x0/0x4
[<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
[<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
[<ffffffff805a88b0>] start_kernel+0x37c/0x398
Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
03e00008 00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
What happens while auth_enable=0 in that case is, that
ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.
After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net->sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.
The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.
Fix in joint work with Daniel Borkmann.
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-17 22:26:50 +07:00
|
|
|
if (!ep->auth_enable)
|
2007-09-17 09:32:11 +07:00
|
|
|
goto fall_through;
|
|
|
|
|
|
|
|
asoc->peer.peer_chunks = kmemdup(param.p,
|
|
|
|
ntohs(param.p->length), gfp);
|
|
|
|
if (!asoc->peer.peer_chunks)
|
|
|
|
retval = 0;
|
|
|
|
break;
|
|
|
|
fall_through:
|
2005-04-17 05:20:36 +07:00
|
|
|
default:
|
|
|
|
/* Any unrecognized parameters should have been caught
|
|
|
|
* and handled by sctp_verify_param() which should be
|
|
|
|
* called prior to this routine. Simply log the error
|
|
|
|
* here.
|
|
|
|
*/
|
net: sctp: rework debugging framework to use pr_debug and friends
We should get rid of all own SCTP debug printk macros and use the ones
that the kernel offers anyway instead. This makes the code more readable
and conform to the kernel code, and offers all the features of dynamic
debbuging that pr_debug() et al has, such as only turning on/off portions
of debug messages at runtime through debugfs. The runtime cost of having
CONFIG_DYNAMIC_DEBUG enabled, but none of the debug statements printing,
is negligible [1]. If kernel debugging is completly turned off, then these
statements will also compile into "empty" functions.
While we're at it, we also need to change the Kconfig option as it /now/
only refers to the ifdef'ed code portions in outqueue.c that enable further
debugging/tracing of SCTP transaction fields. Also, since SCTP_ASSERT code
was enabled with this Kconfig option and has now been removed, we
transform those code parts into WARNs resp. where appropriate BUG_ONs so
that those bugs can be more easily detected as probably not many people
have SCTP debugging permanently turned on.
To turn on all SCTP debugging, the following steps are needed:
# mount -t debugfs none /sys/kernel/debug
# echo -n 'module sctp +p' > /sys/kernel/debug/dynamic_debug/control
This can be done more fine-grained on a per file, per line basis and others
as described in [2].
[1] https://www.kernel.org/doc/ols/2009/ols2009-pages-39-46.pdf
[2] Documentation/dynamic-debug-howto.txt
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-29 00:49:40 +07:00
|
|
|
pr_debug("%s: ignoring param:%d for association:%p.\n",
|
|
|
|
__func__, ntohs(param.p->type), asoc);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
2007-04-21 07:09:22 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Select a new verification tag. */
|
|
|
|
__u32 sctp_generate_tag(const struct sctp_endpoint *ep)
|
|
|
|
{
|
|
|
|
/* I believe that this random number generator complies with RFC1750.
|
|
|
|
* A tag of 0 is reserved for special cases (e.g. INIT).
|
|
|
|
*/
|
|
|
|
__u32 x;
|
|
|
|
|
|
|
|
do {
|
|
|
|
get_random_bytes(&x, sizeof(__u32));
|
|
|
|
} while (x == 0);
|
|
|
|
|
|
|
|
return x;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Select an initial TSN to send during startup. */
|
|
|
|
__u32 sctp_generate_tsn(const struct sctp_endpoint *ep)
|
|
|
|
{
|
|
|
|
__u32 retval;
|
|
|
|
|
|
|
|
get_random_bytes(&retval, sizeof(__u32));
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ADDIP 3.1.1 Address Configuration Change Chunk (ASCONF)
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 0xC1 | Chunk Flags | Chunk Length |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Serial Number |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Address Parameter |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF Parameter #1 |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* \ \
|
|
|
|
* / .... /
|
|
|
|
* \ \
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF Parameter #N |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
2007-02-09 21:25:18 +07:00
|
|
|
* Address Parameter and other parameter will not be wrapped in this function
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
static struct sctp_chunk *sctp_make_asconf(struct sctp_association *asoc,
|
|
|
|
union sctp_addr *addr,
|
|
|
|
int vparam_len)
|
|
|
|
{
|
|
|
|
sctp_addiphdr_t asconf;
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
int length = sizeof(asconf) + vparam_len;
|
|
|
|
union sctp_addr_param addrparam;
|
|
|
|
int addrlen;
|
|
|
|
struct sctp_af *af = sctp_get_af_specific(addr->v4.sin_family);
|
|
|
|
|
|
|
|
addrlen = af->to_addr_param(addr, &addrparam);
|
|
|
|
if (!addrlen)
|
|
|
|
return NULL;
|
|
|
|
length += addrlen;
|
|
|
|
|
|
|
|
/* Create the chunk. */
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_ASCONF, 0, length,
|
|
|
|
GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
asconf.serial = htonl(asoc->addip_serial++);
|
|
|
|
|
|
|
|
retval->subh.addip_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(asconf), &asconf);
|
|
|
|
retval->param_hdr.v =
|
|
|
|
sctp_addto_chunk(retval, addrlen, &addrparam);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ADDIP
|
|
|
|
* 3.2.1 Add IP Address
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 0xC001 | Length = Variable |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF-Request Correlation ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Address Parameter |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
* 3.2.2 Delete IP Address
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 0xC002 | Length = Variable |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF-Request Correlation ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Address Parameter |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *asoc,
|
|
|
|
union sctp_addr *laddr,
|
|
|
|
struct sockaddr *addrs,
|
|
|
|
int addrcnt,
|
2006-11-21 08:01:42 +07:00
|
|
|
__be16 flags)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
sctp_addip_param_t param;
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
union sctp_addr_param addr_param;
|
|
|
|
union sctp_addr *addr;
|
|
|
|
void *addr_buf;
|
|
|
|
struct sctp_af *af;
|
|
|
|
int paramlen = sizeof(param);
|
|
|
|
int addr_param_len = 0;
|
|
|
|
int totallen = 0;
|
|
|
|
int i;
|
2011-04-26 18:19:36 +07:00
|
|
|
int del_pickup = 0;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Get total length of all the address parameters. */
|
|
|
|
addr_buf = addrs;
|
|
|
|
for (i = 0; i < addrcnt; i++) {
|
2011-06-13 23:21:26 +07:00
|
|
|
addr = addr_buf;
|
2005-04-17 05:20:36 +07:00
|
|
|
af = sctp_get_af_specific(addr->v4.sin_family);
|
|
|
|
addr_param_len = af->to_addr_param(addr, &addr_param);
|
|
|
|
|
|
|
|
totallen += paramlen;
|
|
|
|
totallen += addr_param_len;
|
|
|
|
|
|
|
|
addr_buf += af->sockaddr_len;
|
2011-04-26 18:19:36 +07:00
|
|
|
if (asoc->asconf_addr_del_pending && !del_pickup) {
|
|
|
|
/* reuse the parameter length from the same scope one */
|
|
|
|
totallen += paramlen;
|
|
|
|
totallen += addr_param_len;
|
|
|
|
del_pickup = 1;
|
net: sctp: rework debugging framework to use pr_debug and friends
We should get rid of all own SCTP debug printk macros and use the ones
that the kernel offers anyway instead. This makes the code more readable
and conform to the kernel code, and offers all the features of dynamic
debbuging that pr_debug() et al has, such as only turning on/off portions
of debug messages at runtime through debugfs. The runtime cost of having
CONFIG_DYNAMIC_DEBUG enabled, but none of the debug statements printing,
is negligible [1]. If kernel debugging is completly turned off, then these
statements will also compile into "empty" functions.
While we're at it, we also need to change the Kconfig option as it /now/
only refers to the ifdef'ed code portions in outqueue.c that enable further
debugging/tracing of SCTP transaction fields. Also, since SCTP_ASSERT code
was enabled with this Kconfig option and has now been removed, we
transform those code parts into WARNs resp. where appropriate BUG_ONs so
that those bugs can be more easily detected as probably not many people
have SCTP debugging permanently turned on.
To turn on all SCTP debugging, the following steps are needed:
# mount -t debugfs none /sys/kernel/debug
# echo -n 'module sctp +p' > /sys/kernel/debug/dynamic_debug/control
This can be done more fine-grained on a per file, per line basis and others
as described in [2].
[1] https://www.kernel.org/doc/ols/2009/ols2009-pages-39-46.pdf
[2] Documentation/dynamic-debug-howto.txt
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-29 00:49:40 +07:00
|
|
|
|
|
|
|
pr_debug("%s: picked same-scope del_pending addr, "
|
|
|
|
"totallen for all addresses is %d\n",
|
|
|
|
__func__, totallen);
|
2011-04-26 18:19:36 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Create an asconf chunk with the required length. */
|
|
|
|
retval = sctp_make_asconf(asoc, laddr, totallen);
|
|
|
|
if (!retval)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/* Add the address parameters to the asconf chunk. */
|
|
|
|
addr_buf = addrs;
|
|
|
|
for (i = 0; i < addrcnt; i++) {
|
2011-06-13 23:21:26 +07:00
|
|
|
addr = addr_buf;
|
2005-04-17 05:20:36 +07:00
|
|
|
af = sctp_get_af_specific(addr->v4.sin_family);
|
|
|
|
addr_param_len = af->to_addr_param(addr, &addr_param);
|
|
|
|
param.param_hdr.type = flags;
|
|
|
|
param.param_hdr.length = htons(paramlen + addr_param_len);
|
|
|
|
param.crr_id = i;
|
|
|
|
|
|
|
|
sctp_addto_chunk(retval, paramlen, ¶m);
|
|
|
|
sctp_addto_chunk(retval, addr_param_len, &addr_param);
|
|
|
|
|
|
|
|
addr_buf += af->sockaddr_len;
|
|
|
|
}
|
2011-04-26 18:19:36 +07:00
|
|
|
if (flags == SCTP_PARAM_ADD_IP && del_pickup) {
|
|
|
|
addr = asoc->asconf_addr_del_pending;
|
|
|
|
af = sctp_get_af_specific(addr->v4.sin_family);
|
|
|
|
addr_param_len = af->to_addr_param(addr, &addr_param);
|
|
|
|
param.param_hdr.type = SCTP_PARAM_DEL_IP;
|
|
|
|
param.param_hdr.length = htons(paramlen + addr_param_len);
|
|
|
|
param.crr_id = i;
|
|
|
|
|
|
|
|
sctp_addto_chunk(retval, paramlen, ¶m);
|
|
|
|
sctp_addto_chunk(retval, addr_param_len, &addr_param);
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ADDIP
|
|
|
|
* 3.2.4 Set Primary IP Address
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type =0xC004 | Length = Variable |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF-Request Correlation ID |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Address Parameter |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
2007-02-09 21:25:18 +07:00
|
|
|
* Create an ASCONF chunk with Set Primary IP address parameter.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
|
|
|
|
union sctp_addr *addr)
|
|
|
|
{
|
|
|
|
sctp_addip_param_t param;
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
int len = sizeof(param);
|
|
|
|
union sctp_addr_param addrparam;
|
|
|
|
int addrlen;
|
|
|
|
struct sctp_af *af = sctp_get_af_specific(addr->v4.sin_family);
|
|
|
|
|
|
|
|
addrlen = af->to_addr_param(addr, &addrparam);
|
|
|
|
if (!addrlen)
|
|
|
|
return NULL;
|
|
|
|
len += addrlen;
|
|
|
|
|
|
|
|
/* Create the chunk and make asconf header. */
|
|
|
|
retval = sctp_make_asconf(asoc, addr, len);
|
|
|
|
if (!retval)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
param.param_hdr.type = SCTP_PARAM_SET_PRIMARY;
|
|
|
|
param.param_hdr.length = htons(len);
|
|
|
|
param.crr_id = 0;
|
|
|
|
|
|
|
|
sctp_addto_chunk(retval, sizeof(param), ¶m);
|
|
|
|
sctp_addto_chunk(retval, addrlen, &addrparam);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ADDIP 3.1.2 Address Configuration Acknowledgement Chunk (ASCONF-ACK)
|
|
|
|
* 0 1 2 3
|
|
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Type = 0x80 | Chunk Flags | Chunk Length |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | Serial Number |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF Parameter Response#1 |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* \ \
|
|
|
|
* / .... /
|
|
|
|
* \ \
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
* | ASCONF Parameter Response#N |
|
|
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
*
|
2007-02-09 21:25:18 +07:00
|
|
|
* Create an ASCONF_ACK chunk with enough space for the parameter responses.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
static struct sctp_chunk *sctp_make_asconf_ack(const struct sctp_association *asoc,
|
|
|
|
__u32 serial, int vparam_len)
|
|
|
|
{
|
|
|
|
sctp_addiphdr_t asconf;
|
|
|
|
struct sctp_chunk *retval;
|
|
|
|
int length = sizeof(asconf) + vparam_len;
|
|
|
|
|
|
|
|
/* Create the chunk. */
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_ASCONF_ACK, 0, length,
|
|
|
|
GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!retval)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
asconf.serial = htonl(serial);
|
|
|
|
|
|
|
|
retval->subh.addip_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(asconf), &asconf);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Add response parameters to an ASCONF_ACK chunk. */
|
2006-11-21 08:26:34 +07:00
|
|
|
static void sctp_add_asconf_response(struct sctp_chunk *chunk, __be32 crr_id,
|
2006-11-21 08:01:42 +07:00
|
|
|
__be16 err_code, sctp_addip_param_t *asconf_param)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
sctp_addip_param_t ack_param;
|
|
|
|
sctp_errhdr_t err_param;
|
|
|
|
int asconf_param_len = 0;
|
|
|
|
int err_param_len = 0;
|
2006-11-21 08:01:42 +07:00
|
|
|
__be16 response_type;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (SCTP_ERROR_NO_ERROR == err_code) {
|
|
|
|
response_type = SCTP_PARAM_SUCCESS_REPORT;
|
|
|
|
} else {
|
|
|
|
response_type = SCTP_PARAM_ERR_CAUSE;
|
|
|
|
err_param_len = sizeof(err_param);
|
|
|
|
if (asconf_param)
|
|
|
|
asconf_param_len =
|
|
|
|
ntohs(asconf_param->param_hdr.length);
|
|
|
|
}
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Add Success Indication or Error Cause Indication parameter. */
|
2005-04-17 05:20:36 +07:00
|
|
|
ack_param.param_hdr.type = response_type;
|
|
|
|
ack_param.param_hdr.length = htons(sizeof(ack_param) +
|
|
|
|
err_param_len +
|
|
|
|
asconf_param_len);
|
|
|
|
ack_param.crr_id = crr_id;
|
|
|
|
sctp_addto_chunk(chunk, sizeof(ack_param), &ack_param);
|
|
|
|
|
|
|
|
if (SCTP_ERROR_NO_ERROR == err_code)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* Add Error Cause parameter. */
|
|
|
|
err_param.cause = err_code;
|
|
|
|
err_param.length = htons(err_param_len + asconf_param_len);
|
|
|
|
sctp_addto_chunk(chunk, err_param_len, &err_param);
|
|
|
|
|
|
|
|
/* Add the failed TLV copied from ASCONF chunk. */
|
|
|
|
if (asconf_param)
|
|
|
|
sctp_addto_chunk(chunk, asconf_param_len, asconf_param);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Process a asconf parameter. */
|
2006-11-21 08:01:42 +07:00
|
|
|
static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_chunk *asconf,
|
|
|
|
sctp_addip_param_t *asconf_param)
|
|
|
|
{
|
|
|
|
struct sctp_transport *peer;
|
|
|
|
struct sctp_af *af;
|
|
|
|
union sctp_addr addr;
|
|
|
|
union sctp_addr_param *addr_param;
|
2006-11-21 08:05:23 +07:00
|
|
|
|
2011-06-13 23:21:26 +07:00
|
|
|
addr_param = (void *)asconf_param + sizeof(sctp_addip_param_t);
|
2008-05-14 13:25:00 +07:00
|
|
|
|
2009-06-16 13:48:24 +07:00
|
|
|
if (asconf_param->param_hdr.type != SCTP_PARAM_ADD_IP &&
|
|
|
|
asconf_param->param_hdr.type != SCTP_PARAM_DEL_IP &&
|
|
|
|
asconf_param->param_hdr.type != SCTP_PARAM_SET_PRIMARY)
|
|
|
|
return SCTP_ERROR_UNKNOWN_PARAM;
|
|
|
|
|
2011-04-19 02:11:47 +07:00
|
|
|
switch (addr_param->p.type) {
|
2008-05-10 05:11:53 +07:00
|
|
|
case SCTP_PARAM_IPV6_ADDRESS:
|
|
|
|
if (!asoc->peer.ipv6_address)
|
2009-04-16 13:21:02 +07:00
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
2008-05-10 05:11:53 +07:00
|
|
|
break;
|
|
|
|
case SCTP_PARAM_IPV4_ADDRESS:
|
|
|
|
if (!asoc->peer.ipv4_address)
|
2009-04-16 13:21:02 +07:00
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
2008-05-10 05:11:53 +07:00
|
|
|
break;
|
|
|
|
default:
|
2009-04-16 13:21:02 +07:00
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
2008-05-10 05:11:53 +07:00
|
|
|
}
|
|
|
|
|
2011-04-19 02:11:47 +07:00
|
|
|
af = sctp_get_af_specific(param_type2af(addr_param->p.type));
|
2005-04-17 05:20:36 +07:00
|
|
|
if (unlikely(!af))
|
2009-04-16 13:21:02 +07:00
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2006-11-21 08:11:13 +07:00
|
|
|
af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0);
|
2007-12-21 05:08:56 +07:00
|
|
|
|
|
|
|
/* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast
|
|
|
|
* or multicast address.
|
|
|
|
* (note: wildcard is permitted and requires special handling so
|
|
|
|
* make sure we check for that)
|
|
|
|
*/
|
|
|
|
if (!af->is_any(&addr) && !af->addr_valid(&addr, NULL, asconf->skb))
|
2009-04-16 13:21:02 +07:00
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
2007-12-21 05:08:56 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
switch (asconf_param->param_hdr.type) {
|
|
|
|
case SCTP_PARAM_ADD_IP:
|
2007-12-21 05:08:56 +07:00
|
|
|
/* Section 4.2.1:
|
|
|
|
* If the address 0.0.0.0 or ::0 is provided, the source
|
|
|
|
* address of the packet MUST be added.
|
|
|
|
*/
|
|
|
|
if (af->is_any(&addr))
|
|
|
|
memcpy(&addr, &asconf->source, sizeof(addr));
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
|
2007-02-09 21:25:18 +07:00
|
|
|
* request and does not have the local resources to add this
|
|
|
|
* new address to the association, it MUST return an Error
|
|
|
|
* Cause TLV set to the new error code 'Operation Refused
|
|
|
|
* Due to Resource Shortage'.
|
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2006-11-21 08:11:13 +07:00
|
|
|
peer = sctp_assoc_add_peer(asoc, &addr, GFP_ATOMIC, SCTP_UNCONFIRMED);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!peer)
|
|
|
|
return SCTP_ERROR_RSRC_LOW;
|
|
|
|
|
|
|
|
/* Start the heartbeat timer. */
|
sctp: avoid refreshing heartbeat timer too often
Currently on high rate SCTP streams the heartbeat timer refresh can
consume quite a lot of resources as timer updates are costly and it
contains a random factor, which a) is also costly and b) invalidates
mod_timer() optimization for not editing a timer to the same value.
It may even cause the timer to be slightly advanced, for no good reason.
As suggested by David Laight this patch now removes this timer update
from hot path by leaving the timer on and re-evaluating upon its
expiration if the heartbeat is still needed or not, similarly to what is
done for TCP. If it's not needed anymore the timer is re-scheduled to
the new timeout, considering the time already elapsed.
For this, we now record the last tx timestamp per transport, updated in
the same spots as hb timer was restarted on tx. Also split up
sctp_transport_reset_timers into sctp_transport_reset_t3_rtx and
sctp_transport_reset_hb_timer, so we can re-arm T3 without re-arming the
heartbeat one.
On loopback with MTU of 65535 and data chunks with 1636, so that we
have a considerable amount of chunks without stressing system calls,
netperf -t SCTP_STREAM -l 30, perf looked like this before:
Samples: 103K of event 'cpu-clock', Event count (approx.): 25833000000
Overhead Command Shared Object Symbol
+ 6,15% netperf [kernel.vmlinux] [k] copy_user_enhanced_fast_string
- 5,43% netperf [kernel.vmlinux] [k] _raw_write_unlock_irqrestore
- _raw_write_unlock_irqrestore
- 96,54% _raw_spin_unlock_irqrestore
- 36,14% mod_timer
+ 97,24% sctp_transport_reset_timers
+ 2,76% sctp_do_sm
+ 33,65% __wake_up_sync_key
+ 28,77% sctp_ulpq_tail_event
+ 1,40% del_timer
- 1,84% mod_timer
+ 99,03% sctp_transport_reset_timers
+ 0,97% sctp_do_sm
+ 1,50% sctp_ulpq_tail_event
And after this patch, now with netperf -l 60:
Samples: 230K of event 'cpu-clock', Event count (approx.): 57707250000
Overhead Command Shared Object Symbol
+ 5,65% netperf [kernel.vmlinux] [k] memcpy_erms
+ 5,59% netperf [kernel.vmlinux] [k] copy_user_enhanced_fast_string
- 5,05% netperf [kernel.vmlinux] [k] _raw_spin_unlock_irqrestore
- _raw_spin_unlock_irqrestore
+ 49,89% __wake_up_sync_key
+ 45,68% sctp_ulpq_tail_event
- 2,85% mod_timer
+ 76,51% sctp_transport_reset_t3_rtx
+ 23,49% sctp_do_sm
+ 1,55% del_timer
+ 2,50% netperf [sctp] [k] sctp_datamsg_from_user
+ 2,26% netperf [sctp] [k] sctp_sendmsg
Throughput-wise, from 6800mbps without the patch to 7050mbps with it,
~3.7%.
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-07 01:15:19 +07:00
|
|
|
sctp_transport_reset_hb_timer(peer);
|
2011-06-16 15:14:34 +07:00
|
|
|
asoc->new_transport = peer;
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
case SCTP_PARAM_DEL_IP:
|
|
|
|
/* ADDIP 4.3 D7) If a request is received to delete the
|
2007-02-09 21:25:18 +07:00
|
|
|
* last remaining IP address of a peer endpoint, the receiver
|
|
|
|
* MUST send an Error Cause TLV with the error cause set to the
|
|
|
|
* new error code 'Request to Delete Last Remaining IP Address'.
|
|
|
|
*/
|
2007-12-21 05:08:56 +07:00
|
|
|
if (asoc->peer.transport_count == 1)
|
2005-04-17 05:20:36 +07:00
|
|
|
return SCTP_ERROR_DEL_LAST_IP;
|
|
|
|
|
|
|
|
/* ADDIP 4.3 D8) If a request is received to delete an IP
|
|
|
|
* address which is also the source address of the IP packet
|
|
|
|
* which contained the ASCONF chunk, the receiver MUST reject
|
|
|
|
* this request. To reject the request the receiver MUST send
|
|
|
|
* an Error Cause TLV set to the new error code 'Request to
|
|
|
|
* Delete Source IP Address'
|
|
|
|
*/
|
2011-04-26 15:37:02 +07:00
|
|
|
if (sctp_cmp_addr_exact(&asconf->source, &addr))
|
2005-04-17 05:20:36 +07:00
|
|
|
return SCTP_ERROR_DEL_SRC_IP;
|
|
|
|
|
2007-12-21 05:08:56 +07:00
|
|
|
/* Section 4.2.2
|
|
|
|
* If the address 0.0.0.0 or ::0 is provided, all
|
|
|
|
* addresses of the peer except the source address of the
|
|
|
|
* packet MUST be deleted.
|
|
|
|
*/
|
|
|
|
if (af->is_any(&addr)) {
|
|
|
|
sctp_assoc_set_primary(asoc, asconf->transport);
|
|
|
|
sctp_assoc_del_nonprimary_peers(asoc,
|
|
|
|
asconf->transport);
|
2015-08-28 16:45:58 +07:00
|
|
|
return SCTP_ERROR_NO_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* If the address is not part of the association, the
|
|
|
|
* ASCONF-ACK with Error Cause Indication Parameter
|
|
|
|
* which including cause of Unresolvable Address should
|
|
|
|
* be sent.
|
|
|
|
*/
|
|
|
|
peer = sctp_assoc_lookup_paddr(asoc, &addr);
|
|
|
|
if (!peer)
|
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
|
|
|
|
|
|
|
sctp_assoc_rm_peer(asoc, peer);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
case SCTP_PARAM_SET_PRIMARY:
|
2007-12-21 05:08:56 +07:00
|
|
|
/* ADDIP Section 4.2.4
|
|
|
|
* If the address 0.0.0.0 or ::0 is provided, the receiver
|
|
|
|
* MAY mark the source address of the packet as its
|
|
|
|
* primary.
|
|
|
|
*/
|
|
|
|
if (af->is_any(&addr))
|
|
|
|
memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
|
|
|
|
|
2006-11-21 08:11:13 +07:00
|
|
|
peer = sctp_assoc_lookup_paddr(asoc, &addr);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!peer)
|
2009-04-16 13:21:02 +07:00
|
|
|
return SCTP_ERROR_DNS_FAILED;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
sctp_assoc_set_primary(asoc, peer);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return SCTP_ERROR_NO_ERROR;
|
|
|
|
}
|
|
|
|
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
/* Verify the ASCONF packet before we process it. */
|
|
|
|
bool sctp_verify_asconf(const struct sctp_association *asoc,
|
|
|
|
struct sctp_chunk *chunk, bool addr_param_needed,
|
|
|
|
struct sctp_paramhdr **errp)
|
|
|
|
{
|
|
|
|
sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
|
2007-09-19 16:19:52 +07:00
|
|
|
union sctp_params param;
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
bool addr_param_seen = false;
|
2007-09-19 16:19:52 +07:00
|
|
|
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
sctp_walk_params(param, addip, addip_hdr.params) {
|
|
|
|
size_t length = ntohs(param.p->length);
|
2007-09-19 16:19:52 +07:00
|
|
|
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
*errp = param.p;
|
2007-09-19 16:19:52 +07:00
|
|
|
switch (param.p->type) {
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
case SCTP_PARAM_ERR_CAUSE:
|
|
|
|
break;
|
|
|
|
case SCTP_PARAM_IPV4_ADDRESS:
|
|
|
|
if (length != sizeof(sctp_ipv4addr_param_t))
|
|
|
|
return false;
|
2015-08-27 15:26:34 +07:00
|
|
|
/* ensure there is only one addr param and it's in the
|
|
|
|
* beginning of addip_hdr params, or we reject it.
|
|
|
|
*/
|
|
|
|
if (param.v != addip->addip_hdr.params)
|
|
|
|
return false;
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
addr_param_seen = true;
|
|
|
|
break;
|
|
|
|
case SCTP_PARAM_IPV6_ADDRESS:
|
|
|
|
if (length != sizeof(sctp_ipv6addr_param_t))
|
|
|
|
return false;
|
2015-08-27 15:26:34 +07:00
|
|
|
if (param.v != addip->addip_hdr.params)
|
|
|
|
return false;
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
addr_param_seen = true;
|
|
|
|
break;
|
2007-09-19 16:19:52 +07:00
|
|
|
case SCTP_PARAM_ADD_IP:
|
|
|
|
case SCTP_PARAM_DEL_IP:
|
|
|
|
case SCTP_PARAM_SET_PRIMARY:
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
/* In ASCONF chunks, these need to be first. */
|
|
|
|
if (addr_param_needed && !addr_param_seen)
|
|
|
|
return false;
|
|
|
|
length = ntohs(param.addip->param_hdr.length);
|
|
|
|
if (length < sizeof(sctp_addip_param_t) +
|
|
|
|
sizeof(sctp_paramhdr_t))
|
|
|
|
return false;
|
2007-09-19 16:19:52 +07:00
|
|
|
break;
|
|
|
|
case SCTP_PARAM_SUCCESS_REPORT:
|
|
|
|
case SCTP_PARAM_ADAPTATION_LAYER_IND:
|
|
|
|
if (length != sizeof(sctp_addip_param_t))
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
return false;
|
2007-09-19 16:19:52 +07:00
|
|
|
break;
|
|
|
|
default:
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
/* This is unkown to us, reject! */
|
|
|
|
return false;
|
2007-09-19 16:19:52 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
/* Remaining sanity checks. */
|
|
|
|
if (addr_param_needed && !addr_param_seen)
|
|
|
|
return false;
|
|
|
|
if (!addr_param_needed && addr_param_seen)
|
|
|
|
return false;
|
|
|
|
if (param.v != chunk->chunk_end)
|
|
|
|
return false;
|
2007-09-19 16:19:52 +07:00
|
|
|
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
return true;
|
2007-09-19 16:19:52 +07:00
|
|
|
}
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Process an incoming ASCONF chunk with the next expected serial no. and
|
2005-04-17 05:20:36 +07:00
|
|
|
* return an ASCONF_ACK chunk to be sent in response.
|
|
|
|
*/
|
|
|
|
struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
|
|
|
|
struct sctp_chunk *asconf)
|
|
|
|
{
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
|
|
|
|
bool all_param_pass = true;
|
|
|
|
union sctp_params param;
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_addiphdr_t *hdr;
|
|
|
|
union sctp_addr_param *addr_param;
|
|
|
|
sctp_addip_param_t *asconf_param;
|
|
|
|
struct sctp_chunk *asconf_ack;
|
2006-11-21 08:01:42 +07:00
|
|
|
__be16 err_code;
|
2005-04-17 05:20:36 +07:00
|
|
|
int length = 0;
|
2007-10-15 09:51:03 +07:00
|
|
|
int chunk_len;
|
2005-04-17 05:20:36 +07:00
|
|
|
__u32 serial;
|
|
|
|
|
2007-10-15 09:51:03 +07:00
|
|
|
chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
|
2005-04-17 05:20:36 +07:00
|
|
|
hdr = (sctp_addiphdr_t *)asconf->skb->data;
|
|
|
|
serial = ntohl(hdr->serial);
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Skip the addiphdr and store a pointer to address parameter. */
|
2005-04-17 05:20:36 +07:00
|
|
|
length = sizeof(sctp_addiphdr_t);
|
|
|
|
addr_param = (union sctp_addr_param *)(asconf->skb->data + length);
|
|
|
|
chunk_len -= length;
|
|
|
|
|
|
|
|
/* Skip the address parameter and store a pointer to the first
|
2007-12-21 05:03:52 +07:00
|
|
|
* asconf parameter.
|
2007-02-09 21:25:18 +07:00
|
|
|
*/
|
2011-04-19 02:11:47 +07:00
|
|
|
length = ntohs(addr_param->p.length);
|
2011-06-13 23:21:26 +07:00
|
|
|
asconf_param = (void *)addr_param + length;
|
2005-04-17 05:20:36 +07:00
|
|
|
chunk_len -= length;
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* create an ASCONF_ACK chunk.
|
2005-04-17 05:20:36 +07:00
|
|
|
* Based on the definitions of parameters, we know that the size of
|
2011-04-01 06:42:55 +07:00
|
|
|
* ASCONF_ACK parameters are less than or equal to the fourfold of ASCONF
|
2007-12-21 05:03:52 +07:00
|
|
|
* parameters.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
2011-04-01 06:42:55 +07:00
|
|
|
asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 4);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!asconf_ack)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
/* Process the TLVs contained within the ASCONF chunk. */
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
sctp_walk_params(param, addip, addip_hdr.params) {
|
|
|
|
/* Skip preceeding address parameters. */
|
|
|
|
if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
|
|
|
|
param.p->type == SCTP_PARAM_IPV6_ADDRESS)
|
|
|
|
continue;
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
err_code = sctp_process_asconf_param(asoc, asconf,
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
param.addip);
|
2005-04-17 05:20:36 +07:00
|
|
|
/* ADDIP 4.1 A7)
|
|
|
|
* If an error response is received for a TLV parameter,
|
|
|
|
* all TLVs with no response before the failed TLV are
|
|
|
|
* considered successful if not reported. All TLVs after
|
|
|
|
* the failed response are considered unsuccessful unless
|
|
|
|
* a specific success indication is present for the parameter.
|
|
|
|
*/
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
if (err_code != SCTP_ERROR_NO_ERROR)
|
|
|
|
all_param_pass = false;
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!all_param_pass)
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
|
|
|
|
err_code, param.addip);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
|
|
|
|
* an IP address sends an 'Out of Resource' in its response, it
|
|
|
|
* MUST also fail any subsequent add or delete requests bundled
|
2007-02-09 21:25:18 +07:00
|
|
|
* in the ASCONF.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-10-10 03:55:31 +07:00
|
|
|
if (err_code == SCTP_ERROR_RSRC_LOW)
|
2005-04-17 05:20:36 +07:00
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
done:
|
|
|
|
asoc->peer.addip_serial++;
|
|
|
|
|
|
|
|
/* If we are sending a new ASCONF_ACK hold a reference to it in assoc
|
2007-02-09 21:25:18 +07:00
|
|
|
* after freeing the reference to old asconf ack if any.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
if (asconf_ack) {
|
|
|
|
sctp_chunk_hold(asconf_ack);
|
2007-12-21 05:11:47 +07:00
|
|
|
list_add_tail(&asconf_ack->transmitted_list,
|
|
|
|
&asoc->asconf_ack_list);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
return asconf_ack;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Process a asconf parameter that is successfully acked. */
|
2009-06-16 13:47:30 +07:00
|
|
|
static void sctp_asconf_param_success(struct sctp_association *asoc,
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_addip_param_t *asconf_param)
|
|
|
|
{
|
|
|
|
struct sctp_af *af;
|
|
|
|
union sctp_addr addr;
|
|
|
|
struct sctp_bind_addr *bp = &asoc->base.bind_addr;
|
|
|
|
union sctp_addr_param *addr_param;
|
|
|
|
struct sctp_transport *transport;
|
2006-07-22 04:49:25 +07:00
|
|
|
struct sctp_sockaddr_entry *saddr;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2011-06-13 23:21:26 +07:00
|
|
|
addr_param = (void *)asconf_param + sizeof(sctp_addip_param_t);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* We have checked the packet before, so we do not check again. */
|
2011-04-19 02:11:47 +07:00
|
|
|
af = sctp_get_af_specific(param_type2af(addr_param->p.type));
|
2006-11-21 08:11:13 +07:00
|
|
|
af->from_addr_param(&addr, addr_param, htons(bp->port), 0);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
switch (asconf_param->param_hdr.type) {
|
|
|
|
case SCTP_PARAM_ADD_IP:
|
2007-09-17 06:03:28 +07:00
|
|
|
/* This is always done in BH context with a socket lock
|
|
|
|
* held, so the list can not change.
|
|
|
|
*/
|
2007-10-25 03:10:00 +07:00
|
|
|
local_bh_disable();
|
2007-09-17 06:03:28 +07:00
|
|
|
list_for_each_entry(saddr, &bp->address_list, list) {
|
2006-11-21 08:11:13 +07:00
|
|
|
if (sctp_cmp_addr_exact(&saddr->a, &addr))
|
2007-12-21 05:12:24 +07:00
|
|
|
saddr->state = SCTP_ADDR_SRC;
|
2006-07-22 04:49:25 +07:00
|
|
|
}
|
2007-10-25 03:10:00 +07:00
|
|
|
local_bh_enable();
|
2009-06-16 09:07:23 +07:00
|
|
|
list_for_each_entry(transport, &asoc->peer.transport_addr_list,
|
|
|
|
transports) {
|
|
|
|
dst_release(transport->dst);
|
2011-04-19 02:15:22 +07:00
|
|
|
transport->dst = NULL;
|
2009-06-16 09:07:23 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
case SCTP_PARAM_DEL_IP:
|
2007-10-25 03:10:00 +07:00
|
|
|
local_bh_disable();
|
2009-06-16 13:47:30 +07:00
|
|
|
sctp_del_bind_addr(bp, &addr);
|
2011-04-26 18:19:36 +07:00
|
|
|
if (asoc->asconf_addr_del_pending != NULL &&
|
|
|
|
sctp_cmp_addr_exact(asoc->asconf_addr_del_pending, &addr)) {
|
|
|
|
kfree(asoc->asconf_addr_del_pending);
|
|
|
|
asoc->asconf_addr_del_pending = NULL;
|
|
|
|
}
|
2007-10-25 03:10:00 +07:00
|
|
|
local_bh_enable();
|
2008-04-13 08:54:24 +07:00
|
|
|
list_for_each_entry(transport, &asoc->peer.transport_addr_list,
|
|
|
|
transports) {
|
2006-07-22 04:49:25 +07:00
|
|
|
dst_release(transport->dst);
|
2011-04-19 02:15:22 +07:00
|
|
|
transport->dst = NULL;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Get the corresponding ASCONF response error code from the ASCONF_ACK chunk
|
|
|
|
* for the given asconf parameter. If there is no response for this parameter,
|
2007-02-09 21:25:18 +07:00
|
|
|
* return the error code based on the third argument 'no_err'.
|
2005-04-17 05:20:36 +07:00
|
|
|
* ADDIP 4.1
|
|
|
|
* A7) If an error response is received for a TLV parameter, all TLVs with no
|
|
|
|
* response before the failed TLV are considered successful if not reported.
|
|
|
|
* All TLVs after the failed response are considered unsuccessful unless a
|
|
|
|
* specific success indication is present for the parameter.
|
|
|
|
*/
|
2006-11-21 08:01:42 +07:00
|
|
|
static __be16 sctp_get_asconf_response(struct sctp_chunk *asconf_ack,
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_addip_param_t *asconf_param,
|
|
|
|
int no_err)
|
|
|
|
{
|
|
|
|
sctp_addip_param_t *asconf_ack_param;
|
|
|
|
sctp_errhdr_t *err_param;
|
|
|
|
int length;
|
2007-10-15 09:51:03 +07:00
|
|
|
int asconf_ack_len;
|
2006-11-21 08:01:42 +07:00
|
|
|
__be16 err_code;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (no_err)
|
|
|
|
err_code = SCTP_ERROR_NO_ERROR;
|
|
|
|
else
|
|
|
|
err_code = SCTP_ERROR_REQ_REFUSED;
|
|
|
|
|
2007-10-15 09:51:03 +07:00
|
|
|
asconf_ack_len = ntohs(asconf_ack->chunk_hdr->length) -
|
|
|
|
sizeof(sctp_chunkhdr_t);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Skip the addiphdr from the asconf_ack chunk and store a pointer to
|
|
|
|
* the first asconf_ack parameter.
|
2007-02-09 21:25:18 +07:00
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
length = sizeof(sctp_addiphdr_t);
|
|
|
|
asconf_ack_param = (sctp_addip_param_t *)(asconf_ack->skb->data +
|
|
|
|
length);
|
|
|
|
asconf_ack_len -= length;
|
|
|
|
|
|
|
|
while (asconf_ack_len > 0) {
|
|
|
|
if (asconf_ack_param->crr_id == asconf_param->crr_id) {
|
2013-12-23 11:16:50 +07:00
|
|
|
switch (asconf_ack_param->param_hdr.type) {
|
2005-04-17 05:20:36 +07:00
|
|
|
case SCTP_PARAM_SUCCESS_REPORT:
|
|
|
|
return SCTP_ERROR_NO_ERROR;
|
|
|
|
case SCTP_PARAM_ERR_CAUSE:
|
|
|
|
length = sizeof(sctp_addip_param_t);
|
2011-06-13 23:21:26 +07:00
|
|
|
err_param = (void *)asconf_ack_param + length;
|
2005-04-17 05:20:36 +07:00
|
|
|
asconf_ack_len -= length;
|
|
|
|
if (asconf_ack_len > 0)
|
|
|
|
return err_param->cause;
|
|
|
|
else
|
|
|
|
return SCTP_ERROR_INV_PARAM;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return SCTP_ERROR_INV_PARAM;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
length = ntohs(asconf_ack_param->param_hdr.length);
|
2011-06-13 23:21:26 +07:00
|
|
|
asconf_ack_param = (void *)asconf_ack_param + length;
|
2005-04-17 05:20:36 +07:00
|
|
|
asconf_ack_len -= length;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err_code;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Process an incoming ASCONF_ACK chunk against the cached last ASCONF chunk. */
|
|
|
|
int sctp_process_asconf_ack(struct sctp_association *asoc,
|
|
|
|
struct sctp_chunk *asconf_ack)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *asconf = asoc->addip_last_asconf;
|
|
|
|
union sctp_addr_param *addr_param;
|
|
|
|
sctp_addip_param_t *asconf_param;
|
|
|
|
int length = 0;
|
|
|
|
int asconf_len = asconf->skb->len;
|
|
|
|
int all_param_pass = 0;
|
|
|
|
int no_err = 1;
|
|
|
|
int retval = 0;
|
2006-11-21 08:01:42 +07:00
|
|
|
__be16 err_code = SCTP_ERROR_NO_ERROR;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Skip the chunkhdr and addiphdr from the last asconf sent and store
|
|
|
|
* a pointer to address parameter.
|
2007-02-09 21:25:18 +07:00
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
length = sizeof(sctp_addip_chunk_t);
|
|
|
|
addr_param = (union sctp_addr_param *)(asconf->skb->data + length);
|
|
|
|
asconf_len -= length;
|
|
|
|
|
|
|
|
/* Skip the address parameter in the last asconf sent and store a
|
2007-12-21 05:03:52 +07:00
|
|
|
* pointer to the first asconf parameter.
|
2007-02-09 21:25:18 +07:00
|
|
|
*/
|
2011-04-19 02:11:47 +07:00
|
|
|
length = ntohs(addr_param->p.length);
|
2011-06-13 23:21:26 +07:00
|
|
|
asconf_param = (void *)addr_param + length;
|
2005-04-17 05:20:36 +07:00
|
|
|
asconf_len -= length;
|
|
|
|
|
|
|
|
/* ADDIP 4.1
|
|
|
|
* A8) If there is no response(s) to specific TLV parameter(s), and no
|
|
|
|
* failures are indicated, then all request(s) are considered
|
|
|
|
* successful.
|
|
|
|
*/
|
|
|
|
if (asconf_ack->skb->len == sizeof(sctp_addiphdr_t))
|
|
|
|
all_param_pass = 1;
|
|
|
|
|
|
|
|
/* Process the TLVs contained in the last sent ASCONF chunk. */
|
|
|
|
while (asconf_len > 0) {
|
|
|
|
if (all_param_pass)
|
|
|
|
err_code = SCTP_ERROR_NO_ERROR;
|
|
|
|
else {
|
|
|
|
err_code = sctp_get_asconf_response(asconf_ack,
|
|
|
|
asconf_param,
|
|
|
|
no_err);
|
|
|
|
if (no_err && (SCTP_ERROR_NO_ERROR != err_code))
|
|
|
|
no_err = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (err_code) {
|
|
|
|
case SCTP_ERROR_NO_ERROR:
|
2009-06-16 13:47:30 +07:00
|
|
|
sctp_asconf_param_success(asoc, asconf_param);
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_ERROR_RSRC_LOW:
|
|
|
|
retval = 1;
|
|
|
|
break;
|
|
|
|
|
2009-04-07 14:44:29 +07:00
|
|
|
case SCTP_ERROR_UNKNOWN_PARAM:
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Disable sending this type of asconf parameter in
|
|
|
|
* future.
|
2007-02-09 21:25:18 +07:00
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
asoc->peer.addip_disabled_mask |=
|
|
|
|
asconf_param->param_hdr.type;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SCTP_ERROR_REQ_REFUSED:
|
|
|
|
case SCTP_ERROR_DEL_LAST_IP:
|
|
|
|
case SCTP_ERROR_DEL_SRC_IP:
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Skip the processed asconf parameter and move to the next
|
|
|
|
* one.
|
2007-02-09 21:25:18 +07:00
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
length = ntohs(asconf_param->param_hdr.length);
|
2011-06-13 23:21:26 +07:00
|
|
|
asconf_param = (void *)asconf_param + length;
|
2005-04-17 05:20:36 +07:00
|
|
|
asconf_len -= length;
|
|
|
|
}
|
|
|
|
|
2011-06-17 09:03:23 +07:00
|
|
|
if (no_err && asoc->src_out_of_asoc_ok) {
|
2011-04-26 18:19:36 +07:00
|
|
|
asoc->src_out_of_asoc_ok = 0;
|
2011-06-17 09:03:23 +07:00
|
|
|
sctp_transport_immediate_rtx(asoc->peer.primary_path);
|
|
|
|
}
|
2011-04-26 18:19:36 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Free the cached last sent asconf chunk. */
|
2008-02-06 02:23:44 +07:00
|
|
|
list_del_init(&asconf->transmitted_list);
|
2005-04-17 05:20:36 +07:00
|
|
|
sctp_chunk_free(asconf);
|
|
|
|
asoc->addip_last_asconf = NULL;
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2007-02-09 21:25:18 +07:00
|
|
|
/* Make a FWD TSN chunk. */
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_chunk *sctp_make_fwdtsn(const struct sctp_association *asoc,
|
|
|
|
__u32 new_cum_tsn, size_t nstreams,
|
|
|
|
struct sctp_fwdtsn_skip *skiplist)
|
|
|
|
{
|
|
|
|
struct sctp_chunk *retval = NULL;
|
2007-02-09 21:25:18 +07:00
|
|
|
struct sctp_fwdtsn_hdr ftsn_hdr;
|
2005-04-17 05:20:36 +07:00
|
|
|
struct sctp_fwdtsn_skip skip;
|
|
|
|
size_t hint;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
hint = (nstreams + 1) * sizeof(__u32);
|
|
|
|
|
2016-03-11 04:33:07 +07:00
|
|
|
retval = sctp_make_control(asoc, SCTP_CID_FWD_TSN, 0, hint, GFP_ATOMIC);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
if (!retval)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
ftsn_hdr.new_cum_tsn = htonl(new_cum_tsn);
|
|
|
|
retval->subh.fwdtsn_hdr =
|
|
|
|
sctp_addto_chunk(retval, sizeof(ftsn_hdr), &ftsn_hdr);
|
|
|
|
|
|
|
|
for (i = 0; i < nstreams; i++) {
|
|
|
|
skip.stream = skiplist[i].stream;
|
|
|
|
skip.ssn = skiplist[i].ssn;
|
|
|
|
sctp_addto_chunk(retval, sizeof(skip), &skip);
|
|
|
|
}
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|