| Message ID | 20161024194422.GF2958@localhost.localdomain |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
Hi Marcelo, I can confirm that your patch fixes the issue for me. Tested-by: Andrey Konovalov <andreyknvl@google.com> On Mon, Oct 24, 2016 at 9:44 PM, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> wrote: > Hi Andrey, > > On Mon, Oct 24, 2016 at 05:30:04PM +0200, Andrey Konovalov wrote: >> The problem is that sctp_walk_errors walks the chunk before its length >> is checked for overflow. > > Exactly. The check is done too late, for the 2nd and subsequent chunks > only. > Please try the following patch, thanks. Note: not even compile tested. > > ---8<--- > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index 026e3bca4a94..8ec20a64a3f8 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > commands); > > + /* Report violation if chunk len overflows */ > + ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > + if (ch_end > skb_tail_pointer(skb)) > + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > + commands); > + > /* Now that we know we at least have a chunk header, > * do things that are type appropriate. > */ > @@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > } > } > > - /* Report violation if chunk len overflows */ > - ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > - if (ch_end > skb_tail_pointer(skb)) > - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > - commands); > - > ch = (sctp_chunkhdr_t *) ch_end; > } while (ch_end < skb_tail_pointer(skb)); >
On Tue, Oct 25, 2016 at 02:23:48PM +0200, Andrey Konovalov wrote: > Hi Marcelo, > > I can confirm that your patch fixes the issue for me. > > Tested-by: Andrey Konovalov <andreyknvl@google.com> Great, thanks Andrey! I'll post the patch in a few. > > On Mon, Oct 24, 2016 at 9:44 PM, Marcelo Ricardo Leitner > <marcelo.leitner@gmail.com> wrote: > > Hi Andrey, > > > > On Mon, Oct 24, 2016 at 05:30:04PM +0200, Andrey Konovalov wrote: > >> The problem is that sctp_walk_errors walks the chunk before its length > >> is checked for overflow. > > > > Exactly. The check is done too late, for the 2nd and subsequent chunks > > only. > > Please try the following patch, thanks. Note: not even compile tested. > > > > ---8<--- > > > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > > index 026e3bca4a94..8ec20a64a3f8 100644 > > --- a/net/sctp/sm_statefuns.c > > +++ b/net/sctp/sm_statefuns.c > > @@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > > return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > > commands); > > > > + /* Report violation if chunk len overflows */ > > + ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > > + if (ch_end > skb_tail_pointer(skb)) > > + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > > + commands); > > + > > /* Now that we know we at least have a chunk header, > > * do things that are type appropriate. > > */ > > @@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > > } > > } > > > > - /* Report violation if chunk len overflows */ > > - ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > > - if (ch_end > skb_tail_pointer(skb)) > > - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > > - commands); > > - > > ch = (sctp_chunkhdr_t *) ch_end; > > } while (ch_end < skb_tail_pointer(skb)); > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 026e3bca4a94..8ec20a64a3f8 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); + /* Report violation if chunk len overflows */ + ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); + if (ch_end > skb_tail_pointer(skb)) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* Now that we know we at least have a chunk header, * do things that are type appropriate. */ @@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, } } - /* Report violation if chunk len overflows */ - ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); - if (ch_end > skb_tail_pointer(skb)) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); - ch = (sctp_chunkhdr_t *) ch_end; } while (ch_end < skb_tail_pointer(skb));