On Tue, Mar 15, 2022 at 03:26:02PM +0200, Ovidiu Panait wrote:
> From: Xin Long <lucien.xin@xxxxxxxxx>
>
> commit 438b95a7c98f77d51cbf4db021f41b602d750a3f upstream.
>
> Currently INIT_ACK chunk in non-cookie_echoed state is processed in
> sctp_sf_discard_chunk() to send an abort with the existent asoc's
> vtag if the chunk length is not valid. But the vtag in the chunk's
> sctphdr is not verified, which may be exploited by one to cook a
> malicious chunk to terminal a SCTP asoc.
>
> sctp_sf_discard_chunk() also is called in many other places to send
> an abort, and most of those have this problem. This patch is to fix
> it by sending abort with the existent asoc's vtag only if the vtag
> from the chunk's sctphdr is verified in sctp_sf_discard_chunk().
>
> Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
> the chunk length has been verified before sctp_sf_discard_chunk(),
> so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
> sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
> sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
> Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
> [OP: adjusted context for 4.14]
> Signed-off-by: Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx>
> ---
> net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------
> 1 file changed, 19 insertions(+), 18 deletions(-)
All backports now queued up, thanks.
greg k-h
