| From 0e0c1ec7df927ced394282ff2dbc4da4fd2ffc6f Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 20 Oct 2021 07:42:45 -0400 |
| Subject: sctp: add vtag check in sctp_sf_violation |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| [ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] |
| |
| sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk |
| in cookie_wait state, and some other places are also using it. |
| |
| The vtag in the chunk's sctphdr should be verified, otherwise, as |
| later in chunk length check, it may send abort with the existent |
| asoc's vtag, which can be exploited by one to cook a malicious |
| chunk to terminate a SCTP asoc. |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/sctp/sm_statefuns.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c |
| index 4b519ec35ab7..e6260946eafe 100644 |
| --- a/net/sctp/sm_statefuns.c |
| +++ b/net/sctp/sm_statefuns.c |
| @@ -4481,6 +4481,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, |
| { |
| struct sctp_chunk *chunk = arg; |
| |
| + if (!sctp_vtag_verify(chunk, asoc)) |
| + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); |
| + |
| /* Make sure that the chunk has a valid length. */ |
| if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) |
| return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, |
| -- |
| 2.33.0 |
| |
