On Mon, 23 Jan 2023 14:59:33 -0300 Marcelo Ricardo Leitner wrote:
> Currently, if you bind the socket to something like:
> servaddr.sin6_family = AF_INET6;
> servaddr.sin6_port = htons(0);
> servaddr.sin6_scope_id = 0;
> inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
>
> And then request a connect to:
> connaddr.sin6_family = AF_INET6;
> connaddr.sin6_port = htons(20000);
> connaddr.sin6_scope_id = if_nametoindex("lo");
> inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
>
> What the stack does is:
> - bind the socket
> - create a new asoc
> - to handle the connect
> - copy the addresses that can be used for the given scope
> - try to connect
>
> But the copy returns 0 addresses, and the effect is that it ends up
> trying to connect as if the socket wasn't bound, which is not the
> desired behavior. This unexpected behavior also allows KASLR leaks
> through SCTP diag interface.
>
> The fix here then is, if when trying to copy the addresses that can
> be used for the scope used in connect() it returns 0 addresses, bail
> out. This is what TCP does with a similar reproducer.
>
> Reported-by: Pietro Borrello <borrello@xxxxxxxxxxxxxxxx>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
Fixes tag?
