From: Vlad Yasevich <vladislav.yasevich@hp.com>
To: Eugene Teo <eteo@redhat.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org,
linux-sctp@vger.kernel.org, security@kernel.org
Subject: Re: [PATCH] sctp: add verification checks to SCTP_AUTH_KEY option
Date: Tue, 26 Aug 2008 09:37:08 -0400 [thread overview]
Message-ID: <48B40704.5040702@hp.com> (raw)
In-Reply-To: <48B371F1.5080605@redhat.com>
Eugene Teo wrote:
> Vlad Yasevich wrote:
>> Eugene Teo wrote:
>>> Vlad Yasevich wrote:
> [...]
>>>> + if (authkey->sca_keylength > optlen) {
>>>> + ret = -EINVAL;
>>>> + goto out;
>>> Is there a better upper bound check?
>> Hm... optlen - sizeof(struct sctp_authkey) is more accurate.
>>
>> There is really no other bound.
>
> Linus suggested that it is better to declare an upper bound for key_len.
> I think it makes a lot of sense as a key shouldn't be as long as the
> boundary limit of its declared data type.
>
>
I am starting to think that this might be completely unnecessary.
The sctp_auth_set_key() function is be called from two places:
1) setsockopt() code path
2) sctp_auth_asoc_set_secret() code path
In case (1), sca_keylength is never going to exceed 65536 since it's
bounded by a u16 from the user api. As such, the malloc() will never
overflow. This is the case we were really concerned about since the user
can supply bogus values.
In case (2), it is possible for the length to exceed 65536 since it's
trying to create a generated key and the algorithm takes raw pieces of the
SCTP handshake packets to do that. However, there is no way that they can
exceed another 132K bytes because max IP datagram size is 65K and both ends
have to exchange security data. Using IPv6 Jumbo extension I guess they can
go higher but we are probably going to fail memory allocations at that point.
That makes the theoretical maximum for the key to be 192K, but that discounts
the Jumbo usage. So, I think using the current INT_MAX is sufficient to catch
possible overflows caused by case (2). I think restricting the size further is
pointless and could end up being too restrictive.
-vlad
prev parent reply other threads:[~2008-08-26 13:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080825164440.GA504@kernel.sg>
2008-08-25 20:25 ` [PATCH] sctp: add verification checks to SCTP_AUTH_KEY option Vlad Yasevich
2008-08-25 22:17 ` David Miller
2008-08-26 0:59 ` Eugene Teo
2008-08-26 1:19 ` [Security] " Linus Torvalds
2008-08-26 1:28 ` Linus Torvalds
2008-08-26 1:24 ` Vlad Yasevich
2008-08-26 3:01 ` Eugene Teo
2008-08-26 13:37 ` Vlad Yasevich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48B40704.5040702@hp.com \
--to=vladislav.yasevich@hp.com \
--cc=davem@davemloft.net \
--cc=eteo@redhat.com \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).