git.baikalelectronics.ru Git - kernel.git/commit

author	Xin Long <lucien.xin@gmail.com>
	Wed, 20 Oct 2021 11:42:43 +0000 (07:42 -0400)
committer	Jakub Kicinski <kuba@kernel.org>
	Fri, 22 Oct 2021 19:36:44 +0000 (12:36 -0700)
commit	7bba2923b37810071c648a0e47e37a948ee13bf3
tree	fbdc8c871e620407f4ad2b489aa4cba034c8b1cf	tree \| snapshot
parent	528dbd84a0e7dfc52eb8ded134f4262734044bde	commit \| diff

sctp: fix the processing for INIT_ACK chunk

Currently INIT_ACK chunk in non-cookie_echoed state is processed in
sctp_sf_discard_chunk() to send an abort with the existent asoc's
vtag if the chunk length is not valid. But the vtag in the chunk's
sctphdr is not verified, which may be exploited by one to cook a
malicious chunk to terminal a SCTP asoc.

sctp_sf_discard_chunk() also is called in many other places to send
an abort, and most of those have this problem. This patch is to fix
it by sending abort with the existent asoc's vtag only if the vtag
from the chunk's sctphdr is verified in sctp_sf_discard_chunk().

Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
the chunk length has been verified before sctp_sf_discard_chunk(),
so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>