* [PATCH 0/2] sctp: additional overflow fixes
[not found] <48B42ECA.7010800@redhat.com>
@ 2008-08-27 20:03 ` Vlad Yasevich
2008-08-27 20:03 ` [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key Vlad Yasevich
2008-08-27 20:03 ` [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option Vlad Yasevich
2 siblings, 0 replies; 7+ messages in thread
From: Vlad Yasevich @ 2008-08-27 20:03 UTC (permalink / raw)
To: davem; +Cc: eteo, netdev, security, linux-sctp
Hi David
Thanks to Eugene Teo, the following is two more patches that finish
up the overflow fixed in SCTP AUTH api.
Thanks
-vlad
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key
[not found] <48B42ECA.7010800@redhat.com>
2008-08-27 20:03 ` [PATCH 0/2] sctp: additional overflow fixes Vlad Yasevich
@ 2008-08-27 20:03 ` Vlad Yasevich
2008-08-27 23:09 ` David Miller
2008-08-28 0:01 ` Eugene Teo
2008-08-27 20:03 ` [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option Vlad Yasevich
2 siblings, 2 replies; 7+ messages in thread
From: Vlad Yasevich @ 2008-08-27 20:03 UTC (permalink / raw)
To: davem; +Cc: eteo, netdev, security, linux-sctp, Vlad Yasevich
The bonds check to prevent buffer overlflow was not exactly
right. It still allowed overflow of up to 8 bytes which is
sizeof(struct sctp_authkey).
Since optlen is already checked against the size of that struct,
we are guaranteed not to cause interger overflow either.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
---
net/sctp/socket.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index afa952e..9b9b2c3 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3144,7 +3144,7 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
goto out;
}
- if (authkey->sca_keylength > optlen) {
+ if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
ret = -EINVAL;
goto out;
}
--
1.5.2.5
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key
2008-08-27 20:03 ` [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key Vlad Yasevich
@ 2008-08-27 23:09 ` David Miller
2008-08-28 0:01 ` Eugene Teo
1 sibling, 0 replies; 7+ messages in thread
From: David Miller @ 2008-08-27 23:09 UTC (permalink / raw)
To: vladislav.yasevich; +Cc: eteo, netdev, security, linux-sctp
From: Vlad Yasevich <vladislav.yasevich@hp.com>
Date: Wed, 27 Aug 2008 16:03:34 -0400
> The bonds check to prevent buffer overlflow was not exactly
> right. It still allowed overflow of up to 8 bytes which is
> sizeof(struct sctp_authkey).
>
> Since optlen is already checked against the size of that struct,
> we are guaranteed not to cause interger overflow either.
>
> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Applied, and queued for -stable.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key
2008-08-27 20:03 ` [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key Vlad Yasevich
2008-08-27 23:09 ` David Miller
@ 2008-08-28 0:01 ` Eugene Teo
1 sibling, 0 replies; 7+ messages in thread
From: Eugene Teo @ 2008-08-28 0:01 UTC (permalink / raw)
To: Vlad Yasevich; +Cc: davem, netdev, security, linux-sctp
Vlad Yasevich wrote:
> The bonds check to prevent buffer overlflow was not exactly
> right. It still allowed overflow of up to 8 bytes which is
> sizeof(struct sctp_authkey).
>
> Since optlen is already checked against the size of that struct,
> we are guaranteed not to cause interger overflow either.
>
> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: Eugene Teo <eugeneteo@kernel.sg>
Eugene
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
[not found] <48B42ECA.7010800@redhat.com>
2008-08-27 20:03 ` [PATCH 0/2] sctp: additional overflow fixes Vlad Yasevich
2008-08-27 20:03 ` [PATCH 1/2] sctp: correct bounds check in sctp_setsockopt_auth_key Vlad Yasevich
@ 2008-08-27 20:03 ` Vlad Yasevich
2008-08-27 23:10 ` David Miller
2008-08-28 0:02 ` Eugene Teo
2 siblings, 2 replies; 7+ messages in thread
From: Vlad Yasevich @ 2008-08-27 20:03 UTC (permalink / raw)
To: davem; +Cc: eteo, netdev, security, linux-sctp, Vlad Yasevich
The number of identifiers needs to be checked against the option
length. Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
---
net/sctp/auth.c | 3 +++
net/sctp/socket.c | 6 ++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 1fcb4cf..52db5f6 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
for (i = 0; i < hmacs->shmac_num_idents; i++) {
id = hmacs->shmac_idents[i];
+ if (id > SCTP_AUTH_HMAC_ID_MAX)
+ return -EOPNOTSUPP;
+
if (SCTP_AUTH_HMAC_ID_SHA1 == id)
has_sha1 = 1;
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9b9b2c3..5ffb9de 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3086,6 +3086,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
int optlen)
{
struct sctp_hmacalgo *hmacs;
+ u32 idents;
int err;
if (!sctp_auth_enable)
@@ -3103,8 +3104,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
goto out;
}
- if (hmacs->shmac_num_idents == 0 ||
- hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
+ idents = hmacs->shmac_num_idents;
+ if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
+ (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
err = -EINVAL;
goto out;
}
--
1.5.2.5
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
2008-08-27 20:03 ` [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option Vlad Yasevich
@ 2008-08-27 23:10 ` David Miller
2008-08-28 0:02 ` Eugene Teo
1 sibling, 0 replies; 7+ messages in thread
From: David Miller @ 2008-08-27 23:10 UTC (permalink / raw)
To: vladislav.yasevich; +Cc: eteo, netdev, security, linux-sctp
From: Vlad Yasevich <vladislav.yasevich@hp.com>
Date: Wed, 27 Aug 2008 16:03:35 -0400
> The number of identifiers needs to be checked against the option
> length. Also, the identifier index provided needs to be verified
> to make sure that it doesn't exceed the bounds of the array.
>
> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Also applied and queued to -stable, thanks Vlad.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
2008-08-27 20:03 ` [PATCH 2/2] sctp: fix random memory dereference with SCTP_HMAC_IDENT option Vlad Yasevich
2008-08-27 23:10 ` David Miller
@ 2008-08-28 0:02 ` Eugene Teo
1 sibling, 0 replies; 7+ messages in thread
From: Eugene Teo @ 2008-08-28 0:02 UTC (permalink / raw)
To: Vlad Yasevich; +Cc: davem, netdev, security, linux-sctp
Vlad Yasevich wrote:
> The number of identifiers needs to be checked against the option
> length. Also, the identifier index provided needs to be verified
> to make sure that it doesn't exceed the bounds of the array.
>
> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: Eugene Teo <eugeneteo@kernel.sg>
Eugene
^ permalink raw reply [flat|nested] 7+ messages in thread