--- /dev/null
+From ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:44 -0300
+Subject: sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.
+
+When SCTP handles an INIT chunk, it calls for example:
+sctp_sf_do_5_1B_init
+ sctp_verify_init
+ sctp_verify_param
+ sctp_process_init
+ sctp_process_param
+ handling of SCTP_PARAM_SET_PRIMARY
+
+sctp_verify_init() wasn't doing proper size validation and neither the
+later handling, allowing it to work over the chunk itself, possibly being
+uninitialized memory.
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2146,9 +2146,16 @@ static sctp_ierror_t sctp_verify_param(s
+ break;
+
+ case SCTP_PARAM_SET_PRIMARY:
+- if (net->sctp.addip_enable)
+- break;
+- goto fallthrough;
++ if (!net->sctp.addip_enable)
++ goto fallthrough;
++
++ if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
++ sizeof(struct sctp_paramhdr)) {
++ sctp_process_inv_paramlength(asoc, param.p,
++ chunk, err_chunk);
++ retval = SCTP_IERROR_ABORT;
++ }
++ break;
+
+ case SCTP_PARAM_HOST_NAME_ADDRESS:
+ /* Tell the peer, we won't support this param. */
--- /dev/null
+From b6ffe7671b24689c09faa5675dd58f93758a97ae Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:43 -0300
+Subject: sctp: validate chunk size in __rcv_asconf_lookup
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit b6ffe7671b24689c09faa5675dd58f93758a97ae upstream.
+
+In one of the fallbacks that SCTP has for identifying an association for an
+incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek.
+Thing is, at this stage nothing was validating that the chunk actually had
+enough content for that, allowing the peek to happen over uninitialized
+memory.
+
+Similar check already exists in actual asconf handling in
+sctp_verify_asconf().
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/input.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1008,6 +1008,9 @@ static struct sctp_association *__sctp_r
+ union sctp_addr_param *param;
+ union sctp_addr paddr;
+
++ if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
++ return NULL;
++
+ /* Skip over the ADDIP header and find the Address parameter */
+ param = (union sctp_addr_param *)(asconf + 1);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
