From: Daniel Borkmann <dborkman@redhat.com>
To: linux-sctp@vger.kernel.org
Subject: Re: [PATCH]: NULL pointer dereference in sctp_auth_asoc_set_default_hmac
Date: Wed, 16 Apr 2014 07:58:39 +0000 [thread overview]
Message-ID: <534E382F.4030507@redhat.com> (raw)
In-Reply-To: <534E0C7A.9070309@gentoo.org>
Hi Joshua,
On 04/16/2014 06:52 AM, Joshua Kinard wrote:
> Hi linux-sctp,
>
> I stumbled into a NULL pointer dereference on amd64 and mips when receiving
> an INIT chunk containing the HMAC Algorithm Parameter (0x8004) when
> net.sctp.auth_enable = 1.
>
> From some quick debugging I did, even if net.sctp.auth_enable = 1, the if
> statement on line 448 in net/sctp/auth.c::sctp_auth_init_hmacs() checks
> net->sctp.auth_enable and gets '0' back, which causes ep->auth_hmacs to get
> set to NULL:
>
> 448 if (!net->sctp.auth_enable) {
> 449 ep->auth_hmacs = NULL;
> 450 return 0;
> 451 }
>
>
> Later, the if statement on line 621 in
> net/sctp/auth.c::sctp_auth_asoc_set_default_hmac() attempts to access
> ep->auth_hmacs without first checking for NULL, which triggers the oops:
I presume at this point, it's net->sctp.auth_enable = 1 as we test for
it here before calling sctp_auth_asoc_set_default_hmac():
case SCTP_PARAM_HMAC_ALGO:
if (!net->sctp.auth_enable)
goto fall_through;
Could it be that upon sctp_endpoint_init() time in your case,
sctp.auth_enable was still reset to 0, but you've set it between
sctp_endpoint_init() time and before invocation of
sctp_auth_asoc_set_default_hmac() to 1, so that this code path
will suddenly be taken, causing the NULL ptr deref?
> 620 /* If this TFM has been allocated, use this id */
> 621 if (ep->auth_hmacs[id]) {
> 622 asoc->default_hmac_id = id;
> 623 break;
> 624 }
>
>
> I am not sure why net->sctp.auth_enable is initially returning '0' when it's
> set in sysctl, and verified in /proc/sys/net/sctp/auth_enable. Adding a
> check for NULL on ep->auth_hmacs in the if statement stops the oops from
> happening, though I am not sure if this is the correct fix.
...
> Another thing I noticed, is that I cannot trigger the Oops from the
> SCTP/DTLS samples on this page:
> http://sctp.fh-muenster.de/dtls-samples.html
>
> But if I patch OpenSSH with the SCTP patch below, that does trigger it on
> the sshd server machine as soon as I issue 'ssh -z user@host ...'. I've
> looked at both INIT chunks sent out by the respective programs in Wireshark,
> but nothing stands out.
Same symptoms?
Do you have a test pcap though?
> OpenSSH SCTP:
> https://bugzilla.mindrot.org/show_bug.cgi?id 16
>
> If anyone's got other ideas to try out, let me know, thanks!
next prev parent reply other threads:[~2014-04-16 7:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 4:52 [PATCH]: NULL pointer dereference in sctp_auth_asoc_set_default_hmac Joshua Kinard
2014-04-16 7:58 ` Daniel Borkmann [this message]
2014-04-16 17:35 ` Joshua Kinard
2014-04-16 19:12 ` Vlad Yasevich
2014-04-16 19:56 ` Joshua Kinard
2014-04-16 20:29 ` Vlad Yasevich
2014-04-16 20:30 ` Daniel Borkmann
2014-04-16 21:49 ` Joshua Kinard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534E382F.4030507@redhat.com \
--to=dborkman@redhat.com \
--cc=linux-sctp@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.