[thirdparty/kernel/stable-queue.git] / releases / 4.19.54 / sctp-free-cookie-before-we-memdup-a-new-one.patch

From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
From: Neil Horman <nhorman@tuxdriver.com>
Date: Thu, 13 Jun 2019 06:35:59 -0400
Subject: sctp: Free cookie before we memdup a new one

From: Neil Horman <nhorman@tuxdriver.com>

[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]

Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.

To ensure that we don't leak cookie memory, free any previously
allocated cookie first.

Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)

v2->v3
net->sctp
also free peer_chunks

v3->v4
fix subject tags

v4->v5
remove cut line

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/sm_make_chunk.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2600,6 +2600,8 @@ do_addr_param:
 	case SCTP_PARAM_STATE_COOKIE:
 		asoc->peer.cookie_len =
 			ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+		if (asoc->peer.cookie)
+			kfree(asoc->peer.cookie);
 		asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
 		if (!asoc->peer.cookie)
 			retval = 0;
@@ -2664,6 +2666,8 @@ do_addr_param:
 			goto fall_through;
 
 		/* Save peer's random parameter */
+		if (asoc->peer.peer_random)
+			kfree(asoc->peer.peer_random);
 		asoc->peer.peer_random = kmemdup(param.p,
 					    ntohs(param.p->length), gfp);
 		if (!asoc->peer.peer_random) {
@@ -2677,6 +2681,8 @@ do_addr_param:
 			goto fall_through;
 
 		/* Save peer's HMAC list */
+		if (asoc->peer.peer_hmacs)
+			kfree(asoc->peer.peer_hmacs);
 		asoc->peer.peer_hmacs = kmemdup(param.p,
 					    ntohs(param.p->length), gfp);
 		if (!asoc->peer.peer_hmacs) {
@@ -2692,6 +2698,8 @@ do_addr_param:
 		if (!ep->auth_enable)
 			goto fall_through;
 
+		if (asoc->peer.peer_chunks)
+			kfree(asoc->peer.peer_chunks);
 		asoc->peer.peer_chunks = kmemdup(param.p,
 					    ntohs(param.p->length), gfp);
 		if (!asoc->peer.peer_chunks)
Commit	Line	Data
cc95841f GKH	1	From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
	2	From: Neil Horman <nhorman@tuxdriver.com>
	3	Date: Thu, 13 Jun 2019 06:35:59 -0400
	4	Subject: sctp: Free cookie before we memdup a new one
	5
	6	From: Neil Horman <nhorman@tuxdriver.com>
	7
	8	[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]
	9
	10	Based on comments from Xin, even after fixes for our recent syzbot
	11	report of cookie memory leaks, its possible to get a resend of an INIT
	12	chunk which would lead to us leaking cookie memory.
	13
	14	To ensure that we don't leak cookie memory, free any previously
	15	allocated cookie first.
	16
	17	Change notes
	18	v1->v2
	19	update subsystem tag in subject (davem)
	20	repeat kfree check for peer_random and peer_hmacs (xin)
	21
	22	v2->v3
	23	net->sctp
	24	also free peer_chunks
	25
	26	v3->v4
	27	fix subject tags
	28
	29	v4->v5
	30	remove cut line
	31
	32	Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
	33	Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
	34	CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	35	CC: Xin Long <lucien.xin@gmail.com>
	36	CC: "David S. Miller" <davem@davemloft.net>
	37	CC: netdev@vger.kernel.org
	38	Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	39	Signed-off-by: David S. Miller <davem@davemloft.net>
	40	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	41	---
	42	net/sctp/sm_make_chunk.c \| 8 ++++++++
	43	1 file changed, 8 insertions(+)
	44
	45	--- a/net/sctp/sm_make_chunk.c
	46	+++ b/net/sctp/sm_make_chunk.c
	47	@@ -2600,6 +2600,8 @@ do_addr_param:
	48	case SCTP_PARAM_STATE_COOKIE:
	49	asoc->peer.cookie_len =
	50	ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
	51	+ if (asoc->peer.cookie)
	52	+ kfree(asoc->peer.cookie);
	53	asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
	54	if (!asoc->peer.cookie)
	55	retval = 0;
	56	@@ -2664,6 +2666,8 @@ do_addr_param:
	57	goto fall_through;
	58
	59	/* Save peer's random parameter */
	60	+ if (asoc->peer.peer_random)
	61	+ kfree(asoc->peer.peer_random);
	62	asoc->peer.peer_random = kmemdup(param.p,
	63	ntohs(param.p->length), gfp);
	64	if (!asoc->peer.peer_random) {
65	@@ -2677,6 +2681,8 @@ do_addr_param:
66	goto fall_through;
67
68	/* Save peer's HMAC list */
69	+ if (asoc->peer.peer_hmacs)
70	+ kfree(asoc->peer.peer_hmacs);
71	asoc->peer.peer_hmacs = kmemdup(param.p,
72	ntohs(param.p->length), gfp);
73	if (!asoc->peer.peer_hmacs) {
74	@@ -2692,6 +2698,8 @@ do_addr_param:
75	if (!ep->auth_enable)
76	goto fall_through;
77
78	+ if (asoc->peer.peer_chunks)
79	+ kfree(asoc->peer.peer_chunks);
80	asoc->peer.peer_chunks = kmemdup(param.p,
81	ntohs(param.p->length), gfp);
82	if (!asoc->peer.peer_chunks)