Re: [PATCH net] sctp: fail if no bound addresses can be used for a given scope

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mon, 23 Jan 2023 14:59:33 -0300 Marcelo Ricardo Leitner wrote:
> Currently, if you bind the socket to something like:
>         servaddr.sin6_family = AF_INET6;
>         servaddr.sin6_port = htons(0);
>         servaddr.sin6_scope_id = 0;
>         inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
> And then request a connect to:
>         connaddr.sin6_family = AF_INET6;
>         connaddr.sin6_port = htons(20000);
>         connaddr.sin6_scope_id = if_nametoindex("lo");
>         inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
> What the stack does is:
>  - bind the socket
>  - create a new asoc
>  - to handle the connect
>    - copy the addresses that can be used for the given scope
>    - try to connect
> But the copy returns 0 addresses, and the effect is that it ends up
> trying to connect as if the socket wasn't bound, which is not the
> desired behavior. This unexpected behavior also allows KASLR leaks
> through SCTP diag interface.
> The fix here then is, if when trying to copy the addresses that can
> be used for the scope used in connect() it returns 0 addresses, bail
> out. This is what TCP does with a similar reproducer.
> Reported-by: Pietro Borrello <borrello@xxxxxxxxxxxxxxxx>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>

Fixes tag?

[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     SCTP

  Powered by Linux