redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net/sctp
History
Alexey Kodanev 9b7d723439 sctp: verify size of a new chunk in _sctp_make_chunk() 
[ Upstream commit 07f2c7ab6f ]

When SCTP makes INIT or INIT_ACK packet the total chunk length
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
transmitting these packets, e.g. the crash on sending INIT_ACK:

[  597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
               put:120156 head:000000007aa47635 data:00000000d991c2de
               tail:0x1d640 end:0xfec0 dev:<NULL>
...
[  597.976970] ------------[ cut here ]------------
[  598.033408] kernel BUG at net/core/skbuff.c:104!
[  600.314841] Call Trace:
[  600.345829]  <IRQ>
[  600.371639]  ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
[  600.436934]  skb_put+0x16c/0x200
[  600.477295]  sctp_packet_transmit+0x2095/0x26d0 [sctp]
[  600.540630]  ? sctp_packet_config+0x890/0x890 [sctp]
[  600.601781]  ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
[  600.671356]  ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
[  600.731482]  sctp_outq_flush+0x663/0x30d0 [sctp]
[  600.788565]  ? sctp_make_init+0xbf0/0xbf0 [sctp]
[  600.845555]  ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
[  600.912945]  ? sctp_outq_tail+0x631/0x9d0 [sctp]
[  600.969936]  sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
[  601.041593]  ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
[  601.104837]  ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
[  601.175436]  ? sctp_eat_data+0x1710/0x1710 [sctp]
[  601.233575]  sctp_do_sm+0x182/0x560 [sctp]
[  601.284328]  ? sctp_has_association+0x70/0x70 [sctp]
[  601.345586]  ? sctp_rcv+0xef4/0x32f0 [sctp]
[  601.397478]  ? sctp6_rcv+0xa/0x20 [sctp]
...

Here the chunk size for INIT_ACK packet becomes too big, mostly
because of the state cookie (INIT packet has large size with
many address parameters), plus additional server parameters.

Later this chunk causes the panic in skb_put_data():

  skb_packet_transmit()
      sctp_packet_pack()
          skb_put_data(nskb, chunk->skb->data, chunk->skb->len);

'nskb' (head skb) was previously allocated with packet->size
from u16 'chunk->chunk_hdr->length'.

As suggested by Marcelo we should check the chunk's length in
_sctp_make_chunk() before trying to allocate skb for it and
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2018-03-11 16:21:34 +01:00
..
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: Add GSO support 2016-06-03 19:37:21 -04:00
associola.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
auth.c sctp: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
bind_addr.c sctp: fix copying more bytes than expected in sctp_add_bind_addr 2016-03-08 15:04:08 -05:00
chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
debug.c net: sctp: fix array overrun read on sctp_timer_tbl 2017-12-09 22:01:53 +01:00
endpointola.c sctp: add SCTP_PR_SUPPORTED on sctp sockopt 2016-07-11 13:25:38 -07:00
input.c sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect 2017-11-18 11:22:21 +01:00
inqueue.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
ipv6.c sctp: fix dst refcnt leak in sctp_v6_get_dst() 2018-03-11 16:21:33 +01:00
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
offload.c gso: validate gso_type in GSO handlers 2018-01-31 12:55:55 +01:00
output.c sctp: fix the panic caused by route update 2016-10-26 17:32:19 -04:00
outqueue.c sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune 2018-02-25 11:05:47 +01:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c net: sctp: Convert log timestamps to be y2038 safe 2016-03-01 17:18:44 -05:00
proc.c net: Suppress the "Comparison to NULL could be written" warnings 2016-09-30 01:50:45 -04:00
protocol.c sctp: fix dst refcnt leak in sctp_v4_get_dst 2018-03-11 16:21:32 +01:00
sctp_diag.c sctp: Avoid out-of-bounds reads from address storage 2017-09-20 08:19:54 +02:00
sm_make_chunk.c sctp: verify size of a new chunk in _sctp_make_chunk() 2018-03-11 16:21:34 +01:00
sm_sideeffect.c sctp: make sctp_outq_flush/tail/uncork return void 2016-09-18 22:02:33 -04:00
sm_statefuns.c sctp: validate chunk len before actually using it 2016-10-29 12:00:10 -04:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c sctp: make use of pre-calculated len 2018-03-03 10:23:28 +01:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
transport.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
ulpqueue.c sctp: fix missing wake ups in some situations 2017-09-20 08:19:56 +02:00