[PATCH] net: SCTP NULL-pointer dereference problem description and fix

[PATCH] net: SCTP NULL-pointer dereference problem description and fix

[Thomas Dreibholz]

sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a 
NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if there is 
no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR() makes an access 
to t->ipaddr.v4.sin_port, without checking t before. t=NULL => oops.

The patch below against 2.6.36-rc4 (git repository) simply ensures that t is 
checked for not being set to NULL before calling SCTP_DEBUG_PRINTK_IPADDR().


Signed-off-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
---
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index e41feff..b2688a4 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1321,15 +1321,15 @@ void sctp_assoc_update_retran_path(struct 
sctp_association *asoc)
 		}
 	}

-	if (t)
+	if (t) {
 		asoc->peer.retran_path = t;
-
-	SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
-				 " %p addr: ",
-				 " port: %d\n",
-				 asoc,
-				 (&t->ipaddr),
-				 ntohs(t->ipaddr.v4.sin_port));
+		SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
+					 " %p addr: ",
+					 " port: %d\n",
+					 asoc,
+					 (&t->ipaddr),
+					 ntohs(t->ipaddr.v4.sin_port));
+	}
 }

 /* Choose the transport for sending retransmit packet.  */

[PATCH] net: SCTP NULL-pointer dereference problem description and fix

[Thomas Dreibholz]

sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a 
NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if there is 
no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR() makes an access 
to t->ipaddr.v4.sin_port, without checking t before. t==NULL => oops.

The patch below against 2.6.36-rc4 (git repository) simply ensures that t is 
checked for not being set to NULL before calling SCTP_DEBUG_PRINTK_IPADDR().


Signed-off-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
---
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index e41feff..b2688a4 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1321,15 +1321,15 @@ void sctp_assoc_update_retran_path(struct 
sctp_association *asoc)
 		}
 	}

-	if (t)
+	if (t) {
 		asoc->peer.retran_path = t;
-
-	SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
-				 " %p addr: ",
-				 " port: %d\n",
-				 asoc,
-				 (&t->ipaddr),
-				 ntohs(t->ipaddr.v4.sin_port));
+		SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
+					 " %p addr: ",
+					 " port: %d\n",
+					 asoc,
+					 (&t->ipaddr),
+					 ntohs(t->ipaddr.v4.sin_port));
+	}
 }

 /* Choose the transport for sending retransmit packet.  */

Re: [PATCH] net: SCTP NULL-pointer dereference problem description

[Shan Wei]

Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
> sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a 
> NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if there is 
> no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR() makes an access 
> to t->ipaddr.v4.sin_port, without checking t before. t=NULL => oops.
> 
> The patch below against 2.6.36-rc4 (git repository) simply ensures that t is 
> checked for not being set to NULL before calling SCTP_DEBUG_PRINTK_IPADDR().

This bug has been reported by WeiYongjun and fixed by vlad for several months.
About the details see .
http://marc.info/?l=linux-sctp&m\x127359276009851&w=2

But this patch is still in vlad's net-next tree, not in main tree.
See the patch:
http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;hë1639d206320e6a09168d6dd77306eaf5f02582



> 
> 
> Signed-off-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
> ---
> diff --git a/net/sctp/associola.c b/net/sctp/associola.c
> index e41feff..b2688a4 100644
> --- a/net/sctp/associola.c
> +++ b/net/sctp/associola.c
> @@ -1321,15 +1321,15 @@ void sctp_assoc_update_retran_path(struct 
> sctp_association *asoc)
>  		}
>  	}
> 
> -	if (t)
> +	if (t) {
>  		asoc->peer.retran_path = t;
> -
> -	SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> -				 " %p addr: ",
> -				 " port: %d\n",
> -				 asoc,
> -				 (&t->ipaddr),
> -				 ntohs(t->ipaddr.v4.sin_port));
> +		SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> +					 " %p addr: ",
> +					 " port: %d\n",
> +					 asoc,
> +					 (&t->ipaddr),
> +					 ntohs(t->ipaddr.v4.sin_port));
> +	}
>  }
> 
>  /* Choose the transport for sending retransmit packet.  */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 


-- 

Best Regards
-----
Shan Wei

Re: [PATCH] net: SCTP NULL-pointer dereference problem description and fix

[Shan Wei]

Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
> sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a 
> NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if there is 
> no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR() makes an access 
> to t->ipaddr.v4.sin_port, without checking t before. t==NULL => oops.
> 
> The patch below against 2.6.36-rc4 (git repository) simply ensures that t is 
> checked for not being set to NULL before calling SCTP_DEBUG_PRINTK_IPADDR().

This bug has been reported by WeiYongjun and fixed by vlad for several months.
About the details see .
http://marc.info/?l=linux-sctp&m=127359276009851&w=2

But this patch is still in vlad's net-next tree, not in main tree.
See the patch:
http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;h=eb1639d206320e6a09168d6dd77306eaf5f02582



> 
> 
> Signed-off-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
> ---
> diff --git a/net/sctp/associola.c b/net/sctp/associola.c
> index e41feff..b2688a4 100644
> --- a/net/sctp/associola.c
> +++ b/net/sctp/associola.c
> @@ -1321,15 +1321,15 @@ void sctp_assoc_update_retran_path(struct 
> sctp_association *asoc)
>  		}
>  	}
> 
> -	if (t)
> +	if (t) {
>  		asoc->peer.retran_path = t;
> -
> -	SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> -				 " %p addr: ",
> -				 " port: %d\n",
> -				 asoc,
> -				 (&t->ipaddr),
> -				 ntohs(t->ipaddr.v4.sin_port));
> +		SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> +					 " %p addr: ",
> +					 " port: %d\n",
> +					 asoc,
> +					 (&t->ipaddr),
> +					 ntohs(t->ipaddr.v4.sin_port));
> +	}
>  }
> 
>  /* Choose the transport for sending retransmit packet.  */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 


-- 

Best Regards
-----
Shan Wei

Re: [PATCH] net: SCTP NULL-pointer dereference problem description and fix

[Thomas Dreibholz]

On Mittwoch 15 September 2010, Shan Wei wrote:
> Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
> > sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a
> > NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if
> > there is no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR()
> > makes an access to t->ipaddr.v4.sin_port, without checking t before.
> > t=NULL => oops.
> > 
> > The patch below against 2.6.36-rc4 (git repository) simply ensures that t
> > is checked for not being set to NULL before calling
> > SCTP_DEBUG_PRINTK_IPADDR().
> 
> This bug has been reported by WeiYongjun and fixed by vlad for several
> months. About the details see .
> http://marc.info/?l=linux-sctp&m\x127359276009851&w=2
> 
> But this patch is still in vlad's net-next tree, not in main tree.
> See the patch:
> http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;hë1
> 639d206320e6a09168d6dd77306eaf5f02582

This patch resolves the problem. I am using the main tree. The patch should 
also be applied there.


Best regards
-- 
=================================== Dr. Thomas Dreibholz

 University of Duisburg-Essen,                   Room ES210
 Inst. for Experimental Mathematics              Ellernstraße 29
 Computer Networking Technology Group            D-45326 Essen/Germany
-----------------------------------------------------------------------
 E-Mail:     dreibh@iem.uni-due.de
 Homepage:   http://www.iem.uni-due.de/~dreibh
===================================

Re: [PATCH] net: SCTP NULL-pointer dereference problem description and fix

[Thomas Dreibholz]

On Mittwoch 15 September 2010, Shan Wei wrote:
> Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
> > sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a
> > NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if
> > there is no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR()
> > makes an access to t->ipaddr.v4.sin_port, without checking t before.
> > t==NULL => oops.
> > 
> > The patch below against 2.6.36-rc4 (git repository) simply ensures that t
> > is checked for not being set to NULL before calling
> > SCTP_DEBUG_PRINTK_IPADDR().
> 
> This bug has been reported by WeiYongjun and fixed by vlad for several
> months. About the details see .
> http://marc.info/?l=linux-sctp&m=127359276009851&w=2
> 
> But this patch is still in vlad's net-next tree, not in main tree.
> See the patch:
> http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;h=eb1
> 639d206320e6a09168d6dd77306eaf5f02582

This patch resolves the problem. I am using the main tree. The patch should 
also be applied there.


Best regards
-- 
=======================================================================
 Dr. Thomas Dreibholz

 University of Duisburg-Essen,                   Room ES210
 Inst. for Experimental Mathematics              Ellernstraße 29
 Computer Networking Technology Group            D-45326 Essen/Germany
-----------------------------------------------------------------------
 E-Mail:     dreibh@iem.uni-due.de
 Homepage:   http://www.iem.uni-due.de/~dreibh
=======================================================================

Re: [PATCH] net: SCTP NULL-pointer dereference problem description

[Vlad Yasevich]

On 09/15/2010 08:53 AM, Thomas Dreibholz wrote:
> On Mittwoch 15 September 2010, Shan Wei wrote:
>> Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
>>> sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a
>>> NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if
>>> there is no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR()
>>> makes an access to t->ipaddr.v4.sin_port, without checking t before.
>>> t=NULL => oops.
>>>
>>> The patch below against 2.6.36-rc4 (git repository) simply ensures that t
>>> is checked for not being set to NULL before calling
>>> SCTP_DEBUG_PRINTK_IPADDR().
>>
>> This bug has been reported by WeiYongjun and fixed by vlad for several
>> months. About the details see .
>> http://marc.info/?l=linux-sctp&m\x127359276009851&w=2
>>
>> But this patch is still in vlad's net-next tree, not in main tree.
>> See the patch:
>> http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;hë1
>> 639d206320e6a09168d6dd77306eaf5f02582
> 
> This patch resolves the problem. I am using the main tree. The patch should 
> also be applied there.
> 
> 
> Best regards

Yes.  I know.  I've been just touch busy (and not with SCTP pieces) and backlog
is starting to accumulate.
I'll try to push stuff out this week.

-vlad

Re: [PATCH] net: SCTP NULL-pointer dereference problem description and fix

[Vlad Yasevich]

On 09/15/2010 08:53 AM, Thomas Dreibholz wrote:
> On Mittwoch 15 September 2010, Shan Wei wrote:
>> Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
>>> sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a
>>> NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if
>>> there is no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR()
>>> makes an access to t->ipaddr.v4.sin_port, without checking t before.
>>> t==NULL => oops.
>>>
>>> The patch below against 2.6.36-rc4 (git repository) simply ensures that t
>>> is checked for not being set to NULL before calling
>>> SCTP_DEBUG_PRINTK_IPADDR().
>>
>> This bug has been reported by WeiYongjun and fixed by vlad for several
>> months. About the details see .
>> http://marc.info/?l=linux-sctp&m=127359276009851&w=2
>>
>> But this patch is still in vlad's net-next tree, not in main tree.
>> See the patch:
>> http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;h=eb1
>> 639d206320e6a09168d6dd77306eaf5f02582
> 
> This patch resolves the problem. I am using the main tree. The patch should 
> also be applied there.
> 
> 
> Best regards

Yes.  I know.  I've been just touch busy (and not with SCTP pieces) and backlog
is starting to accumulate.
I'll try to push stuff out this week.

-vlad