On Tue, Jan 24, 2023 at 06:14:16PM -0800, Jakub Kicinski wrote:
> On Mon, 23 Jan 2023 14:59:33 -0300 Marcelo Ricardo Leitner wrote:
> > Currently, if you bind the socket to something like:
> > servaddr.sin6_family = AF_INET6;
> > servaddr.sin6_port = htons(0);
> > servaddr.sin6_scope_id = 0;
> > inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
> >
> > And then request a connect to:
> > connaddr.sin6_family = AF_INET6;
> > connaddr.sin6_port = htons(20000);
> > connaddr.sin6_scope_id = if_nametoindex("lo");
> > inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
> >
> > What the stack does is:
> > - bind the socket
> > - create a new asoc
> > - to handle the connect
> > - copy the addresses that can be used for the given scope
> > - try to connect
> >
> > But the copy returns 0 addresses, and the effect is that it ends up
> > trying to connect as if the socket wasn't bound, which is not the
> > desired behavior. This unexpected behavior also allows KASLR leaks
> > through SCTP diag interface.
> >
> > The fix here then is, if when trying to copy the addresses that can
> > be used for the scope used in connect() it returns 0 addresses, bail
> > out. This is what TCP does with a similar reproducer.
> >
> > Reported-by: Pietro Borrello <borrello@xxxxxxxxxxxxxxxx>
> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
>
> Fixes tag?
Lost in Narnia again, I suppose. :)
Ok, I had forgot it, but now checking, it predates git.
What should I have used in this case again please? Perhaps just:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
