From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+cd494c1dd681d4d93ebb@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 15/33] sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
Date: Fri, 18 May 2018 10:15:54 +0200 [thread overview]
Message-ID: <20180518081535.712594336@linuxfoundation.org> (raw)
In-Reply-To: <20180518081535.096308218@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit d625329b06e46bd20baf9ee40847d11982569204 ]
Since sctp ipv6 socket also supports v4 addrs, it's possible to
compare two v4 addrs in pf v6 .cmp_addr, sctp_inet6_cmp_addr.
However after Commit 1071ec9d453a ("sctp: do not check port in
sctp_inet6_cmp_addr"), it no longer calls af1->cmp_addr, which
in this case is sctp_v4_cmp_addr, but calls __sctp_v6_cmp_addr
where it handles them as two v6 addrs. It would cause a out of
bounds crash.
syzbot found this crash when trying to bind two v4 addrs to a
v6 socket.
This patch fixes it by adding the process for two v4 addrs in
sctp_inet6_cmp_addr.
Fixes: 1071ec9d453a ("sctp: do not check port in sctp_inet6_cmp_addr")
Reported-by: syzbot+cd494c1dd681d4d93ebb@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/ipv6.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -864,6 +864,9 @@ static int sctp_inet6_cmp_addr(const uni
if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2))
return 1;
+ if (addr1->sa.sa_family == AF_INET && addr2->sa.sa_family == AF_INET)
+ return addr1->v4.sin_addr.s_addr == addr2->v4.sin_addr.s_addr;
+
return __sctp_v6_cmp_addr(addr1, addr2);
}
next prev parent reply other threads:[~2018-05-18 8:15 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 8:15 [PATCH 4.9 00/33] 4.9.101-stable review Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 01/33] 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 02/33] bridge: check iface upper dev when setting master via ioctl Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 04/33] ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 05/33] llc: better deal with too small mtu Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 06/33] net: ethernet: sun: niu set correct packet size in skb Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 07/33] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 08/33] net/mlx4_en: Verify coalescing parameters are in range Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 09/33] net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 10/33] net_sched: fq: take care of throttled flows before reuse Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 11/33] net: support compat 64-bit time in {s,g}etsockopt Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 12/33] openvswitch: Dont swap table in nlattr_set() after OVS_ATTR_NESTED is found Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 13/33] qmi_wwan: do not steal interfaces from class drivers Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 14/33] r8169: fix powering up RTL8168h Greg Kroah-Hartman
2018-05-18 8:15 ` Greg Kroah-Hartman [this message]
2018-05-18 8:15 ` [PATCH 4.9 16/33] sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 17/33] sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 18/33] tcp_bbr: fix to zero idle_restart only upon S/ACKed data Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 19/33] tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent() Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 20/33] bonding: do not allow rlb updates to invalid mac Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 21/33] net/mlx5: Avoid cleaning flow steering table twice during error flow Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 22/33] bonding: send learning packets for vlans on slave Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 23/33] tcp: ignore Fast Open on repair mode Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 24/33] sctp: fix the issue that the cookie-ack with auth cant get processed Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 25/33] sctp: delay the authentication for the duplicated cookie-echo chunk Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 26/33] serial: sccnxp: Fix error handling in sccnxp_probe() Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 27/33] futex: Remove duplicated code and fix undefined behaviour Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` [OpenRISC] " Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` [OpenRISC] " Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` [OpenRISC] " Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 28/33] xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 29/33] lockd: lost rollback of set_grace_period() in lockd_down_net() Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 30/33] Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 31/33] l2tp: revert "l2tp: fix missing print session offset info" Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 32/33] nfp: TX time stamp packets before HW doorbell is rung Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 33/33] proc: do not access cmdline nor environ from file-backed areas Greg Kroah-Hartman
2018-05-18 13:20 ` [PATCH 4.9 00/33] 4.9.101-stable review Guenter Roeck
2018-05-18 14:05 ` kernelci.org bot
2018-05-18 19:02 ` Naresh Kamboju
2018-05-18 20:47 ` Shuah Khan
-- strict thread matches above, loose matches on Subject: below --
2018-05-18 8:15 [PATCH 4.9 03/33] dccp: fix tasklet usage Greg Kroah-Hartman
2018-05-18 8:15 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180518081535.712594336@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+cd494c1dd681d4d93ebb@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.