Patch "Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk"" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 22 Feb 2023 21:47:45 -0500

This is a note to let you know that I've just added the patch titled

    Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk"

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     revert-netfilter-conntrack-fix-bug-in-for_each_sctp_.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0e7528b091ccdcf79892af732c349830c6d78d7d
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Thu Jan 26 02:35:21 2023 +0100

    Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk"
    
    [ Upstream commit bd0e06f0def75ba26572a94e5350324474a55562 ]
    
    There is no bug.  If sch->length == 0, this would result in an infinite
    loop, but first caller, do_basic_checks(), errors out in this case.
    
    After this change, packets with bogus zero-length chunks are no longer
    detected as invalid, so revert & add comment wrt. 0 length check.
    
    Fixes: 98ee00774525 ("netfilter: conntrack: fix bug in for_each_sctp_chunk")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index cffd37f56c5c0..6166c2012e0d8 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -182,10 +182,11 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
 }
 #endif
 
+/* do_basic_checks ensures sch->length > 0, do not use before */
 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)	\
 for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0;	\
-	((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) &&	\
-	(sch)->length;	\
+	(offset) < (skb)->len &&					\
+	((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));	\
 	(offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
 
 /* Some validity checks to make sure the chunks are fine */






