[thirdparty/kernel/stable-queue.git] / queue-4.19 / sctp-free-cookie-before-we-memdup-a-new-one.patch-9156

From 94952b029ca67d652a477f4d01300a91fdf05f26 Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@tuxdriver.com>
Date: Thu, 13 Jun 2019 06:35:59 -0400
Subject: sctp: Free cookie before we memdup a new one

[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]

Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.

To ensure that we don't leak cookie memory, free any previously
allocated cookie first.

Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)

v2->v3
net->sctp
also free peer_chunks

v3->v4
fix subject tags

v4->v5
remove cut line

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/sm_make_chunk.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index ae65a1cfa596..fb546b2d67ca 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2600,6 +2600,8 @@ static int sctp_process_param(struct sctp_association *asoc,
 	case SCTP_PARAM_STATE_COOKIE:
 		asoc->peer.cookie_len =
 			ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+		if (asoc->peer.cookie)
+			kfree(asoc->peer.cookie);
 		asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
 		if (!asoc->peer.cookie)
 			retval = 0;
@@ -2664,6 +2666,8 @@ static int sctp_process_param(struct sctp_association *asoc,
 			goto fall_through;
 
 		/* Save peer's random parameter */
+		if (asoc->peer.peer_random)
+			kfree(asoc->peer.peer_random);
 		asoc->peer.peer_random = kmemdup(param.p,
 					    ntohs(param.p->length), gfp);
 		if (!asoc->peer.peer_random) {
@@ -2677,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
 			goto fall_through;
 
 		/* Save peer's HMAC list */
+		if (asoc->peer.peer_hmacs)
+			kfree(asoc->peer.peer_hmacs);
 		asoc->peer.peer_hmacs = kmemdup(param.p,
 					    ntohs(param.p->length), gfp);
 		if (!asoc->peer.peer_hmacs) {
@@ -2692,6 +2698,8 @@ static int sctp_process_param(struct sctp_association *asoc,
 		if (!ep->auth_enable)
 			goto fall_through;
 
+		if (asoc->peer.peer_chunks)
+			kfree(asoc->peer.peer_chunks);
 		asoc->peer.peer_chunks = kmemdup(param.p,
 					    ntohs(param.p->length), gfp);
 		if (!asoc->peer.peer_chunks)
-- 
2.20.1
Commit	Line	Data
a15a8890 SL	1	From 94952b029ca67d652a477f4d01300a91fdf05f26 Mon Sep 17 00:00:00 2001
	2	From: Neil Horman <nhorman@tuxdriver.com>
	3	Date: Thu, 13 Jun 2019 06:35:59 -0400
	4	Subject: sctp: Free cookie before we memdup a new one
	5
	6	[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]
	7
	8	Based on comments from Xin, even after fixes for our recent syzbot
	9	report of cookie memory leaks, its possible to get a resend of an INIT
	10	chunk which would lead to us leaking cookie memory.
	11
	12	To ensure that we don't leak cookie memory, free any previously
	13	allocated cookie first.
	14
	15	Change notes
	16	v1->v2
	17	update subsystem tag in subject (davem)
	18	repeat kfree check for peer_random and peer_hmacs (xin)
	19
	20	v2->v3
	21	net->sctp
	22	also free peer_chunks
	23
	24	v3->v4
	25	fix subject tags
	26
	27	v4->v5
	28	remove cut line
	29
	30	Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
	31	Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
	32	CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	33	CC: Xin Long <lucien.xin@gmail.com>
	34	CC: "David S. Miller" <davem@davemloft.net>
	35	CC: netdev@vger.kernel.org
	36	Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	37	Signed-off-by: David S. Miller <davem@davemloft.net>
	38	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	39	---
	40	net/sctp/sm_make_chunk.c \| 8 ++++++++
	41	1 file changed, 8 insertions(+)
	42
	43	diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
	44	index ae65a1cfa596..fb546b2d67ca 100644
	45	--- a/net/sctp/sm_make_chunk.c
	46	+++ b/net/sctp/sm_make_chunk.c
	47	@@ -2600,6 +2600,8 @@ static int sctp_process_param(struct sctp_association *asoc,
	48	case SCTP_PARAM_STATE_COOKIE:
	49	asoc->peer.cookie_len =
	50	ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
	51	+ if (asoc->peer.cookie)
	52	+ kfree(asoc->peer.cookie);
	53	asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
	54	if (!asoc->peer.cookie)
	55	retval = 0;
	56	@@ -2664,6 +2666,8 @@ static int sctp_process_param(struct sctp_association *asoc,
	57	goto fall_through;
	58
	59	/* Save peer's random parameter */
	60	+ if (asoc->peer.peer_random)
	61	+ kfree(asoc->peer.peer_random);
	62	asoc->peer.peer_random = kmemdup(param.p,
	63	ntohs(param.p->length), gfp);
	64	if (!asoc->peer.peer_random) {
65	@@ -2677,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
66	goto fall_through;
67
68	/* Save peer's HMAC list */
69	+ if (asoc->peer.peer_hmacs)
70	+ kfree(asoc->peer.peer_hmacs);
71	asoc->peer.peer_hmacs = kmemdup(param.p,
72	ntohs(param.p->length), gfp);
73	if (!asoc->peer.peer_hmacs) {
74	@@ -2692,6 +2698,8 @@ static int sctp_process_param(struct sctp_association *asoc,
75	if (!ep->auth_enable)
76	goto fall_through;
77
78	+ if (asoc->peer.peer_chunks)
79	+ kfree(asoc->peer.peer_chunks);
80	asoc->peer.peer_chunks = kmemdup(param.p,
81	ntohs(param.p->length), gfp);
82	if (!asoc->peer.peer_chunks)
83	--
84	2.20.1
85