SCTP ASCONF Set Primary Address Parameter Type bug

linux-sctp.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* SCTP ASCONF Set Primary Address Parameter Type bug
@ 2015-01-28 16:45 Saran Maruti Ramanara
  2015-01-28 18:02 ` Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Saran Maruti Ramanara @ 2015-01-28 16:45 UTC (permalink / raw)
  To: linux-sctp

Hi,

While investigating CVE-2014-7841 patched by e40607cbe270, I noticed that in sctp_process_param() in the switch-case where param.p->type = SCTP_PARAM_SET_PRIMARY (0xC004), the argument to param_type2af() is param.p->type, which is always 0xC004 in this case, and not addr_param's type. This causes af to always be NULL, i.e. even when IPv4 or IPv6 Address sub-parameters are received. 

The following patch--untested for functionality, compiles against c59c961ca511--gets the right Address Parameter type through to param_type2af(). 

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index e49e231..06320c8 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2608,7 +2608,7 @@ do_addr_param:

        addr_param = param.v + sizeof(sctp_addip_param_t);

-       af = sctp_get_af_specific(param_type2af(param.p->type));
+       af = sctp_get_af_specific(param_type2af(addr_param->p.type));
        if (af = NULL)
            break;

--
Regards,
Saran Neti, TELUS Security Labs

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: SCTP ASCONF Set Primary Address Parameter Type bug
  2015-01-28 16:45 SCTP ASCONF Set Primary Address Parameter Type bug Saran Maruti Ramanara
@ 2015-01-28 18:02 ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2015-01-28 18:02 UTC (permalink / raw)
  To: linux-sctp

Hi Saran,

On 01/28/2015 05:45 PM, Saran Maruti Ramanara wrote:
...
> While investigating CVE-2014-7841 patched by e40607cbe270, I noticed that in sctp_process_param() in the switch-case where param.p->type = SCTP_PARAM_SET_PRIMARY (0xC004), the argument to param_type2af() is param.p->type, which is always 0xC004 in this case, and not addr_param's type. This causes af to always be NULL, i.e. even when IPv4 or IPv6 Address sub-parameters are received.
>
> The following patch--untested for functionality, compiles against c59c961ca511--gets the right Address Parameter type through to param_type2af().
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index e49e231..06320c8 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2608,7 +2608,7 @@ do_addr_param:
>
>          addr_param = param.v + sizeof(sctp_addip_param_t);
>
> -       af = sctp_get_af_specific(param_type2af(param.p->type));
> +       af = sctp_get_af_specific(param_type2af(addr_param->p.type));

Good catch, can you send an official patch to netdev?

Thanks,
Daniel

>          if (af = NULL)
>              break;
>
> --
> Regards,
> Saran Neti, TELUS Security Labs
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-01-28 18:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-28 16:45 SCTP ASCONF Set Primary Address Parameter Type bug Saran Maruti Ramanara
2015-01-28 18:02 ` Daniel Borkmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).