Re: [PATCH 4.4 19/92] sctp: delay the authentication for the duplicated cookie-echo chunk

From: Marcelo Ricardo Leitner
Date: Thu Jun 07 2018 - 14:21:59 EST


On Wed, Jun 06, 2018 at 11:31:47PM +0100, Ben Hutchings wrote:
> On Thu, 2018-05-24 at 11:37 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Xin Long <lucien.xin@xxxxxxxxx>
> >
> > [ Upstream commit 59d8d4434f429b4fa8a346fd889058bda427a837 ]
> >
> > Now sctp only delays the authentication for the normal cookie-echo
> > chunk by setting chunk->auth_chunk in sctp_endpoint_bh_rcv(). But
> > for the duplicated one with auth, in sctp_assoc_bh_rcv(), it does
> > authentication first based on the old asoc, which will definitely
> > fail due to the different auth info in the old asoc.
> [...]
> > --- a/net/sctp/associola.c
> > +++ b/net/sctp/associola.c
> > @@ -1000,9 +1000,10 @@ static void sctp_assoc_bh_rcv(struct wor
> >   struct sctp_endpoint *ep;
> >   struct sctp_chunk *chunk;
> >   struct sctp_inq *inqueue;
> > - int state;
> >   sctp_subtype_t subtype;
> > + int first_time = 1; /* is this the first time through the loop */
> >   int error = 0;
> > + int state;
> >  
> >   /* The association should be held so we should be safe. */
> >   ep = asoc->ep;
> > @@ -1013,6 +1014,30 @@ static void sctp_assoc_bh_rcv(struct wor
> >   state = asoc->state;
> >   subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type);
> >  
> > + /* If the first chunk in the packet is AUTH, do special
> > +  * processing specified in Section 6.3 of SCTP-AUTH spec
> > +  */
> > + if (first_time && subtype.chunk == SCTP_CID_AUTH) {
> > + struct sctp_chunkhdr *next_hdr;
> > +
> > + next_hdr = sctp_inq_peek(inqueue);
> > + if (!next_hdr)
> > + goto normal;
> > +
> > + /* If the next chunk is COOKIE-ECHO, skip the AUTH
> > +  * chunk while saving a pointer to it so we can do
> > +  * Authentication later (during cookie-echo
> > +  * processing).
> > +  */
> > + if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {
> > + chunk->auth_chunk = skb_clone(chunk->skb,
> > +       GFP_ATOMIC);
> > + chunk->auth = 1;
>
> Doesn't the first_time flag need to be cleared here (and before the
> other continue statement in this loop)?

Seems the description is not matching the code closely. As is,
first_time is about the first time an AUTH chunk is handled followed
by a COOKIE-ECHO chunk (which is what we wanted, in the end), and not
strictly enforcing 'first chunk in the packet', as the description
says.

We should rename this first_time into a chunk counter instead. It
may even help with debugging on crashes.

Thanks for reviewing this, btw.

Marcelo

>
> Ben.
>
> > + continue;
> > + }
> > + }
> > +
> > +normal:
> [...]
>
> --
> Ben Hutchings, Software Developer   Codethink Ltd
> https://www.codethink.co.uk/ Dale House, 35 Dale Street
> Manchester, M1 2HF, United Kingdom