[PATCH] SCTP: Fix sctp_auth_asoc_get_hmac() to avoid kernel panic

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] SCTP: Fix sctp_auth_asoc_get_hmac() to avoid kernel panic
@ 2008-03-20  5:53 Wei Yongjun
  2008-03-20 12:20 ` Vlad Yasevich
  0 siblings, 1 reply; 3+ messages in thread
From: Wei Yongjun @ 2008-03-20  5:53 UTC (permalink / raw)
  To: lksctp-developers; +Cc: Vlad Yasevich, netdev, David Miller

If association is setup with HMAC-ALGO parameter in which there is no 
HMAC algorithm supported by the endpoint, send a chunk with AUTH will 
cause kernel panic.

This is because  when send chunk with AUTH, sctp_auth_asoc_get_hmac() 
will be used to get the hmac. In this function, if the HMAC-ALGO is 
empty, it return NULL. If is not empty, it will find a valid hmac for 
using. But if all of the HMAC-ALGOs is not supported by endpoint, it 
will return a bogus pointer, not expected NULL pointer.

This patch fix this problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>

--- a/net/sctp/auth.c	2008-02-11 17:14:05.000000000 -0500
+++ b/net/sctp/auth.c	2008-02-14 02:01:18.000000000 -0500
@@ -549,13 +549,10 @@ struct sctp_hmac *sctp_auth_asoc_get_hma
 		if (!sctp_hmac_list[id].hmac_name)
 			continue;

-		break;
+		return &sctp_hmac_list[id];
 	}

-	if (id == 0)
-		return NULL;
-
-	return &sctp_hmac_list[id];
+	return NULL;
 }

 static int __sctp_auth_find_hmacid(__be16 *hmacs, int n_elts, __be16 hmac_id)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] SCTP: Fix sctp_auth_asoc_get_hmac() to avoid kernel panic
  2008-03-20  5:53 [PATCH] SCTP: Fix sctp_auth_asoc_get_hmac() to avoid kernel panic Wei Yongjun
@ 2008-03-20 12:20 ` Vlad Yasevich
  2008-03-21  1:51   ` Wei Yongjun
  0 siblings, 1 reply; 3+ messages in thread
From: Vlad Yasevich @ 2008-03-20 12:20 UTC (permalink / raw)
  To: Wei Yongjun; +Cc: lksctp-developers, netdev, David Miller

Hi Wei

Wei Yongjun wrote:
> If association is setup with HMAC-ALGO parameter in which there is no 
> HMAC algorithm supported by the endpoint, send a chunk with AUTH will 
> cause kernel panic.
> 
> This is because  when send chunk with AUTH, sctp_auth_asoc_get_hmac() 
> will be used to get the hmac. In this function, if the HMAC-ALGO is 
> empty, it return NULL. If is not empty, it will find a valid hmac for 
> using. But if all of the HMAC-ALGOs is not supported by endpoint, it 
> will return a bogus pointer, not expected NULL pointer.

This is a workaround, but this problem must never never happen.
RFC 4890 has the following text:

   The HMAC algorithm based on SHA-1 MUST be supported and
   included in the HMAC-ALGO parameter.

As a result, we need to check in sctp_verify_param() that HMAC_SHA1 is
present in the list.  If not, we should probably treat this as a protocol
violation.

It should also be a protocol violation if the HMAC parameter is empty.

That could almost remove the need for the sctp-auth_asoc_get_hmac() function.

-vlad

> 
> This patch fix this problem.
> 
> Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
> 
> --- a/net/sctp/auth.c    2008-02-11 17:14:05.000000000 -0500
> +++ b/net/sctp/auth.c    2008-02-14 02:01:18.000000000 -0500
> @@ -549,13 +549,10 @@ struct sctp_hmac *sctp_auth_asoc_get_hma
>         if (!sctp_hmac_list[id].hmac_name)
>             continue;
> 
> -        break;
> +        return &sctp_hmac_list[id];
>     }
> 
> -    if (id == 0)
> -        return NULL;
> -
> -    return &sctp_hmac_list[id];
> +    return NULL;
> }
> 
> static int __sctp_auth_find_hmacid(__be16 *hmacs, int n_elts, __be16 
> hmac_id)
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] SCTP: Fix sctp_auth_asoc_get_hmac() to avoid kernel panic
  2008-03-20 12:20 ` Vlad Yasevich
@ 2008-03-21  1:51   ` Wei Yongjun
  0 siblings, 0 replies; 3+ messages in thread
From: Wei Yongjun @ 2008-03-21  1:51 UTC (permalink / raw)
  To: Vlad Yasevich; +Cc: lksctp-developers, netdev, David Miller

Hi Vlad:

Vlad Yasevich wrote:
> Hi Wei
>
> Wei Yongjun wrote:
>> If association is setup with HMAC-ALGO parameter in which there is no 
>> HMAC algorithm supported by the endpoint, send a chunk with AUTH will 
>> cause kernel panic.
>>
>> This is because  when send chunk with AUTH, sctp_auth_asoc_get_hmac() 
>> will be used to get the hmac. In this function, if the HMAC-ALGO is 
>> empty, it return NULL. If is not empty, it will find a valid hmac for 
>> using. But if all of the HMAC-ALGOs is not supported by endpoint, it 
>> will return a bogus pointer, not expected NULL pointer.
>
> This is a workaround, but this problem must never never happen.

This can happened under attack. I have a test case to found this problem.

> RFC 4890 has the following text:
>
>   The HMAC algorithm based on SHA-1 MUST be supported and
>   included in the HMAC-ALGO parameter.
>
> As a result, we need to check in sctp_verify_param() that HMAC_SHA1 is
> present in the list.  If not, we should probably treat this as a protocol
> violation.
>
> It should also be a protocol violation if the HMAC parameter is empty.

Agree, I will make a patch to fix this.

>
> That could almost remove the need for the sctp-auth_asoc_get_hmac() 
> function.

If we do the above check, this function can be removed. I do a test 
after the new patch is create.



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2008-03-21  1:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-20  5:53 [PATCH] SCTP: Fix sctp_auth_asoc_get_hmac() to avoid kernel panic Wei Yongjun
2008-03-20 12:20 ` Vlad Yasevich
2008-03-21  1:51   ` Wei Yongjun

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).