From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
davem@davemloft.net, vyasevic@redhat.com
Subject: Re: [PATCH net v2] sctp: asconf's process should verify address parameter is in the beginning
Date: Tue, 25 Aug 2015 11:01:13 -0300 [thread overview]
Message-ID: <20150825140113.GD1873@localhost.localdomain> (raw)
In-Reply-To: <3ffe8f6b86e33c016dddec672fab23a206c21acf.1440505764.git.lucien.xin@gmail.com>
On Tue, Aug 25, 2015 at 08:29:24PM +0800, Xin Long wrote:
> in sctp_process_asconf(), we get address parameter from the beginning of
> the addip params. but we never check if it's really there. if the addr
> param is not there, it still can pass sctp_verify_asconf(), then to be
> handled by sctp_process_asconf(), it will not be safe.
>
> so add a code in sctp_verify_asconf() to check the address parameter is in
> the beginning, or return false to send abort.
>
> v1->v2:
> * put the check behind the params' length verify.
>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
> net/sctp/sm_make_chunk.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 06320c8..89a4d1c 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -3166,6 +3166,13 @@ bool sctp_verify_asconf(const struct sctp_association *asoc,
> return false;
> if (!addr_param_needed && addr_param_seen)
> return false;
> + if (addr_param_needed && addr_param_seen) {
> + /* Ensure the address parameter is in the beginning */
> + param.v = chunk->skb->data + sizeof(sctp_addiphdr_t);
Using param.v before the loop made sense but after the loop, it will
cause all packets that hits here to be reject due to the check below.
> + if (param.p->type != SCTP_PARAM_IPV4_ADDRESS &&
> + param.p->type != SCTP_PARAM_IPV6_ADDRESS)
> + return false;
> + }
> if (param.v != chunk->chunk_end)
this one -----^
Maybe it's easier if you put this check inside the loop for each ipv4/6,
and check if it is the first parameter or not by mimicing the way
sctp_walk_params() finds the first chunk, it's just a pointer
derreference and that was already checked and performed to reach there.
(You can have some logic with addr_param_seen so you don't catch the
multiple parameters in there.)
Marcelo
> return false;
>
> --
> 2.1.0
>
next prev parent reply other threads:[~2015-08-25 14:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-25 12:29 [PATCH net v2] sctp: asconf's process should verify address parameter is in the beginning Xin Long
2015-08-25 14:01 ` Marcelo Ricardo Leitner [this message]
2015-08-25 16:03 ` Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150825140113.GD1873@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=davem@davemloft.net \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=vyasevic@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.