Re: [PATCH 5.10 68/77] sctp: add vtag check in sctp_sf_violation
From: Greg Kroah-Hartman
Date: Tue Nov 02 2021 - 11:52:46 EST
On Tue, Nov 02, 2021 at 05:12:16PM +0300, Alexey Khoroshilov wrote:
> Hello!
>
> It seems the patch may lead to NULL pointer dereference.
>
>
> 1. sctp_sf_violation_chunk() calls sctp_sf_violation() with asoc arg
> equal to NULL.
>
> static enum sctp_disposition sctp_sf_violation_chunk(
> ...
> {
> ...
> if (!asoc)
> return sctp_sf_violation(net, ep, asoc, type, arg, commands);
> ...
>
> 2. Newly added code of sctp_sf_violation() calls to sctp_vtag_verify()
> with asoc arg equal to NULL.
>
> enum sctp_disposition sctp_sf_violation(struct net *net,
> ...
> {
> struct sctp_chunk *chunk = arg;
>
> if (!sctp_vtag_verify(chunk, asoc))
> return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> ...
>
> 3. sctp_vtag_verify() dereferences asoc without any check.
>
> /* Check VTAG of the packet matches the sender's own tag. */
> static inline int
> sctp_vtag_verify(const struct sctp_chunk *chunk,
> const struct sctp_association *asoc)
> {
> /* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint
> * MUST ensure that the value in the Verification Tag field of
> * the received SCTP packet matches its own Tag. If the received
> * Verification Tag value does not match the receiver's own
> * tag value, the receiver shall silently discard the packet...
> */
> if (ntohl(chunk->sctp_hdr->vtag) != asoc->c.my_vtag)
> return 0;
>
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE tool.
These issues should all be the same with Linus's tree, so can you please
submit patches to the normal netdev developers and mailing list to
resolve the above issues?
thanks,
greg k-h