On Wed, Jun 21, 2023 at 5:56 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Eric Dumazet says:
> nf_conntrack_dccp_packet() has an unique:
>
> dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
>
> And nothing more is 'pulled' from the packet, depending on the content.
> dh->dccph_doff, and/or dh->dccph_x ...)
> So dccp_ack_seq() is happily reading stuff past the _dh buffer.
>
> BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0
> Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371
> [..]
>
> Fix this by increasing the stack buffer to also include room for
> the extra sequence numbers and all the known dccp packet type headers,
> then pull again after the initial validation of the basic header.
>
> While at it, mark packets invalid that lack 48bit sequence bit but
> where RFC says the type MUST use them.
>
> Compile tested only.
>
> v2: first skb_header_pointer() now needs to adjust the size to
> only pull the generic header. (Eric)
>
> Heads-up: I intend to remove dccp conntrack support later this year.
>
> Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
> Reported-by: Eric Dumazet <edumazet@xxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Thanks Florian.
