mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-04 04:06:26 +00:00
sctp: bring inet(6)_skb_parm back to sctp_input_cb
inet(6)_skb_parm was removed from sctp_input_cb by Commita1dd2cf2f1
("sctp: allow changing transport encap_port by peer packets"), as it thought sctp_input_cb->header is not used any more in SCTP. syzbot reported a crash: [ ] BUG: KASAN: use-after-free in decode_session6+0xe7c/0x1580 [ ] [ ] Call Trace: [ ] <IRQ> [ ] dump_stack+0x107/0x163 [ ] kasan_report.cold+0x1f/0x37 [ ] decode_session6+0xe7c/0x1580 [ ] __xfrm_policy_check+0x2fa/0x2850 [ ] sctp_rcv+0x12b0/0x2e30 [ ] sctp6_rcv+0x22/0x40 [ ] ip6_protocol_deliver_rcu+0x2e8/0x1680 [ ] ip6_input_finish+0x7f/0x160 [ ] ip6_input+0x9c/0xd0 [ ] ipv6_rcv+0x28e/0x3c0 It was caused by sctp_input_cb->header/IP6CB(skb) still used in sctp rx path decode_session6() but some members overwritten by sctp6_rcv(). This patch is to fix it by bring inet(6)_skb_parm back to sctp_input_cb and not overwriting it in sctp4/6_rcv() and sctp_udp_rcv(). Reported-by: syzbot+5be8aebb1b7dfa90ef31@syzkaller.appspotmail.com Fixes:a1dd2cf2f1
("sctp: allow changing transport encap_port by peer packets") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Link: https://lore.kernel.org/r/136c1a7a419341487c504be6d1996928d9d16e02.1604472932.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
parent
67438feb2b
commit
0356010d82
@ -1121,6 +1121,12 @@ static inline void sctp_outq_cork(struct sctp_outq *q)
|
||||
* sctp_input_cb is currently used on rx and sock rx queue
|
||||
*/
|
||||
struct sctp_input_cb {
|
||||
union {
|
||||
struct inet_skb_parm h4;
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
struct inet6_skb_parm h6;
|
||||
#endif
|
||||
} header;
|
||||
struct sctp_chunk *chunk;
|
||||
struct sctp_af *af;
|
||||
__be16 encap_port;
|
||||
|
@ -1074,7 +1074,7 @@ static struct inet_protosw sctpv6_stream_protosw = {
|
||||
|
||||
static int sctp6_rcv(struct sk_buff *skb)
|
||||
{
|
||||
memset(skb->cb, 0, sizeof(skb->cb));
|
||||
SCTP_INPUT_CB(skb)->encap_port = 0;
|
||||
return sctp_rcv(skb) ? -1 : 0;
|
||||
}
|
||||
|
||||
|
@ -843,7 +843,6 @@ static int sctp_ctl_sock_init(struct net *net)
|
||||
|
||||
static int sctp_udp_rcv(struct sock *sk, struct sk_buff *skb)
|
||||
{
|
||||
memset(skb->cb, 0, sizeof(skb->cb));
|
||||
SCTP_INPUT_CB(skb)->encap_port = udp_hdr(skb)->source;
|
||||
|
||||
skb_set_transport_header(skb, sizeof(struct udphdr));
|
||||
@ -1163,7 +1162,7 @@ static struct inet_protosw sctp_stream_protosw = {
|
||||
|
||||
static int sctp4_rcv(struct sk_buff *skb)
|
||||
{
|
||||
memset(skb->cb, 0, sizeof(skb->cb));
|
||||
SCTP_INPUT_CB(skb)->encap_port = 0;
|
||||
return sctp_rcv(skb);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user