From: Vlad Yasevich <vladislav.yasevich@hp.com>
To: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: sri@us.ibm.com, linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] sctp: prevent reading out-of-bounds memory
Date: Fri, 03 Sep 2010 14:15:47 +0000 [thread overview]
Message-ID: <4C810313.80000@hp.com> (raw)
In-Reply-To: <AANLkTineCKfL-UvqfQBTZPDFeqm3Nrpb=pFnZpkSqbEQ@mail.gmail.com>
On 09/03/2010 09:48 AM, Dan Rosenberg wrote:
> Two user-controlled allocations in SCTP are subsequently dereferenced
> as sockaddr structs, without checking if the dereferenced struct
> members fall beyond the end of the allocated chunk. There doesn't
> appear to be any information leakage here based on how these members
> are used and additional checking, but it's still worth fixing.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/net/sctp/socket.c 2010-09-03 08:58:48.127080114 -0400
> +++ linux-2.6.35.4/net/sctp/socket.c 2010-09-03 09:22:06.337096825 -0400
> @@ -889,6 +889,7 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> int err;
> int addrcnt = 0;
> int walk_size = 0;
> + unsigned int remaining = addrs_size;
> struct sockaddr *sa_addr;
> void *addr_buf;
> struct sctp_af *af;
> @@ -916,6 +917,13 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> /* Walk through the addrs buffer and count the number of addresses. */
> addr_buf = kaddrs;
> while (walk_size < addrs_size) {
> +
> + /* Don't read out-of-bounds memory */
> + if (remaining < sizeof(struct sockaddr)) {
> + kfree(kaddrs);
> + return -EINVAL;
> + }
> +
Hm.. we already validate that we have the proper amount of space for a given sockaddr.
The only thing we are missing is making sure that there is room to get the proper address
family and I think you can do that without adding any extra variables:
if (walk_size + sizeof(sa_family_t) > addr_size) {
/* Not enough room for address family */
kfree(kaddrs);
return -EINVAL;
}
-vlad
> sa_addr = (struct sockaddr *)addr_buf;
> af = sctp_get_af_specific(sa_addr->sa_family);
>
> @@ -929,6 +937,7 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> addrcnt++;
> addr_buf += af->sockaddr_len;
> walk_size += af->sockaddr_len;
> + remaining -= af->sockaddr_len;
> }
>
> /* Do the work. */
> @@ -984,6 +993,7 @@ static int __sctp_connect(struct sock* s
> void *addr_buf;
> unsigned short port;
> unsigned int f_flags = 0;
> + unsigned int remaining = addrs_size;
>
> sp = sctp_sk(sk);
> ep = sp->ep;
> @@ -1002,6 +1012,13 @@ static int __sctp_connect(struct sock* s
> /* Walk through the addrs buffer and count the number of addresses. */
> addr_buf = kaddrs;
> while (walk_size < addrs_size) {
> +
> + /* Don't read out-of-bounds memory */
> + if (remaining < sizeof(union sctp_addr)) {
> + err = -EINVAL;
> + goto out_free;
> + }
> +
> sa_addr = (union sctp_addr *)addr_buf;
> af = sctp_get_af_specific(sa_addr->sa.sa_family);
> port = ntohs(sa_addr->v4.sin_port);
> @@ -1101,6 +1118,7 @@ static int __sctp_connect(struct sock* s
> addrcnt++;
> addr_buf += af->sockaddr_len;
> walk_size += af->sockaddr_len;
> + remaining -= af->sockaddr_len;
> }
>
> /* In case the user of sctp_connectx() wants an association
>
WARNING: multiple messages have this Message-ID (diff)
From: Vlad Yasevich <vladislav.yasevich@hp.com>
To: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: sri@us.ibm.com, linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] sctp: prevent reading out-of-bounds memory
Date: Fri, 03 Sep 2010 10:15:47 -0400 [thread overview]
Message-ID: <4C810313.80000@hp.com> (raw)
In-Reply-To: <AANLkTineCKfL-UvqfQBTZPDFeqm3Nrpb=pFnZpkSqbEQ@mail.gmail.com>
On 09/03/2010 09:48 AM, Dan Rosenberg wrote:
> Two user-controlled allocations in SCTP are subsequently dereferenced
> as sockaddr structs, without checking if the dereferenced struct
> members fall beyond the end of the allocated chunk. There doesn't
> appear to be any information leakage here based on how these members
> are used and additional checking, but it's still worth fixing.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/net/sctp/socket.c 2010-09-03 08:58:48.127080114 -0400
> +++ linux-2.6.35.4/net/sctp/socket.c 2010-09-03 09:22:06.337096825 -0400
> @@ -889,6 +889,7 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> int err;
> int addrcnt = 0;
> int walk_size = 0;
> + unsigned int remaining = addrs_size;
> struct sockaddr *sa_addr;
> void *addr_buf;
> struct sctp_af *af;
> @@ -916,6 +917,13 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> /* Walk through the addrs buffer and count the number of addresses. */
> addr_buf = kaddrs;
> while (walk_size < addrs_size) {
> +
> + /* Don't read out-of-bounds memory */
> + if (remaining < sizeof(struct sockaddr)) {
> + kfree(kaddrs);
> + return -EINVAL;
> + }
> +
Hm.. we already validate that we have the proper amount of space for a given sockaddr.
The only thing we are missing is making sure that there is room to get the proper address
family and I think you can do that without adding any extra variables:
if (walk_size + sizeof(sa_family_t) > addr_size) {
/* Not enough room for address family */
kfree(kaddrs);
return -EINVAL;
}
-vlad
> sa_addr = (struct sockaddr *)addr_buf;
> af = sctp_get_af_specific(sa_addr->sa_family);
>
> @@ -929,6 +937,7 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> addrcnt++;
> addr_buf += af->sockaddr_len;
> walk_size += af->sockaddr_len;
> + remaining -= af->sockaddr_len;
> }
>
> /* Do the work. */
> @@ -984,6 +993,7 @@ static int __sctp_connect(struct sock* s
> void *addr_buf;
> unsigned short port;
> unsigned int f_flags = 0;
> + unsigned int remaining = addrs_size;
>
> sp = sctp_sk(sk);
> ep = sp->ep;
> @@ -1002,6 +1012,13 @@ static int __sctp_connect(struct sock* s
> /* Walk through the addrs buffer and count the number of addresses. */
> addr_buf = kaddrs;
> while (walk_size < addrs_size) {
> +
> + /* Don't read out-of-bounds memory */
> + if (remaining < sizeof(union sctp_addr)) {
> + err = -EINVAL;
> + goto out_free;
> + }
> +
> sa_addr = (union sctp_addr *)addr_buf;
> af = sctp_get_af_specific(sa_addr->sa.sa_family);
> port = ntohs(sa_addr->v4.sin_port);
> @@ -1101,6 +1118,7 @@ static int __sctp_connect(struct sock* s
> addrcnt++;
> addr_buf += af->sockaddr_len;
> walk_size += af->sockaddr_len;
> + remaining -= af->sockaddr_len;
> }
>
> /* In case the user of sctp_connectx() wants an association
>
next prev parent reply other threads:[~2010-09-03 14:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 13:48 [PATCH] sctp: prevent reading out-of-bounds memory Dan Rosenberg
2010-09-03 13:48 ` Dan Rosenberg
2010-09-03 14:15 ` Vlad Yasevich [this message]
2010-09-03 14:15 ` Vlad Yasevich
2010-09-03 14:35 ` Dan Rosenberg
2010-09-03 14:35 ` Dan Rosenberg
2010-09-03 14:47 ` Dan Rosenberg
2010-09-03 14:47 ` Dan Rosenberg
2010-09-03 15:49 ` Vlad Yasevich
2010-09-03 15:49 ` Vlad Yasevich
2010-09-03 15:54 ` Dan Rosenberg
2010-09-03 15:54 ` Dan Rosenberg
2010-09-03 17:10 ` Vlad Yasevich
2010-09-03 17:10 ` Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C810313.80000@hp.com \
--to=vladislav.yasevich@hp.com \
--cc=dan.j.rosenberg@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=sri@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.