From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 08/34] sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
Date: Fri, 24 Sep 2021 14:44:02 +0200 [thread overview]
Message-ID: <20210924124330.236794802@linuxfoundation.org> (raw)
In-Reply-To: <20210924124329.965218583@linuxfoundation.org>
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.
When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
sctp_verify_init
sctp_verify_param
sctp_process_init
sctp_process_param
handling of SCTP_PARAM_SET_PRIMARY
sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/sm_make_chunk.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2172,9 +2172,16 @@ static enum sctp_ierror sctp_verify_para
break;
case SCTP_PARAM_SET_PRIMARY:
- if (net->sctp.addip_enable)
- break;
- goto fallthrough;
+ if (!net->sctp.addip_enable)
+ goto fallthrough;
+
+ if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
+ sizeof(struct sctp_paramhdr)) {
+ sctp_process_inv_paramlength(asoc, param.p,
+ chunk, err_chunk);
+ retval = SCTP_IERROR_ABORT;
+ }
+ break;
case SCTP_PARAM_HOST_NAME_ADDRESS:
/* Tell the peer, we won't support this param. */
next prev parent reply other threads:[~2021-09-24 12:51 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-24 12:43 [PATCH 4.19 00/34] 4.19.208-rc1 review Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 4.19 01/34] s390/bpf: Fix optimizing out zero-extensions Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 4.19 02/34] KVM: remember position in kvm->vcpus array Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 4.19 03/34] rcu: Fix missed wakeup of exp_wq waiters Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 4.19 04/34] apparmor: remove duplicate macro list_entry_is_head() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 4.19 05/34] crypto: talitos - fix max key size for sha384 and sha512 Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 06/34] tracing/kprobe: Fix kprobe_on_func_entry() modification Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 07/34] sctp: validate chunk size in __rcv_asconf_lookup Greg Kroah-Hartman
2021-09-24 12:44 ` Greg Kroah-Hartman [this message]
2021-09-24 12:44 ` [PATCH 4.19 09/34] dmaengine: acpi: Avoid comparison GSI with Linux vIRQ Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 10/34] thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 11/34] 9p/trans_virtio: Remove sysfs file on probe failure Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 12/34] prctl: allow to setup brk for et_dyn executables Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 13/34] nilfs2: use refcount_dec_and_lock() to fix potential UAF Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 14/34] profiling: fix shift-out-of-bounds bugs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 15/34] pwm: lpc32xx: Dont modify HW state in .probe() after the PWM chip was registered Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 16/34] pwm: mxs: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 17/34] Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 18/34] drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 19/34] parisc: Move pci_dev_is_behind_card_dino to where it is used Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 20/34] dmaengine: sprd: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 21/34] dmaengine: ioat: depends on !UML Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 22/34] dmaengine: xilinx_dma: Set DMA mask for coherent APIs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 23/34] ceph: lockdep annotations for try_nonblocking_invalidate Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 24/34] nilfs2: fix memory leak in nilfs_sysfs_create_device_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 25/34] nilfs2: fix NULL pointer in nilfs_##name##_attr_release Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 26/34] nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 27/34] nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 28/34] nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 29/34] nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 30/34] pwm: img: Dont modify HW state in .remove() callback Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 31/34] pwm: rockchip: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 32/34] pwm: stm32-lp: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 33/34] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 4.19 34/34] drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV Greg Kroah-Hartman
2021-09-24 13:57 ` [PATCH 4.19 00/34] 4.19.208-rc1 review Daniel Díaz
2021-09-24 17:54 ` Jon Hunter
2021-09-24 21:50 ` Pavel Machek
2021-09-24 21:54 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210924124330.236794802@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.