releases/4.19.54/sctp-free-cookie-before-we-memdup-a-new-one.patch

   1 From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
   2 From: Neil Horman <nhorman@tuxdriver.com>
   3 Date: Thu, 13 Jun 2019 06:35:59 -0400
   4 Subject: sctp: Free cookie before we memdup a new one
   5
   6 From: Neil Horman <nhorman@tuxdriver.com>
   7
   8 [ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]
   9
  10 Based on comments from Xin, even after fixes for our recent syzbot
  11 report of cookie memory leaks, its possible to get a resend of an INIT
  12 chunk which would lead to us leaking cookie memory.
  13
  14 To ensure that we don't leak cookie memory, free any previously
  15 allocated cookie first.
  16
  17 Change notes
  18 v1->v2
  19 update subsystem tag in subject (davem)
  20 repeat kfree check for peer_random and peer_hmacs (xin)
  21
  22 v2->v3
  23 net->sctp
  24 also free peer_chunks
  25
  26 v3->v4
  27 fix subject tags
  28
  29 v4->v5
  30 remove cut line
  31
  32 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
  33 Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
  34 CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
  35 CC: Xin Long <lucien.xin@gmail.com>
  36 CC: "David S. Miller" <davem@davemloft.net>
  37 CC: netdev@vger.kernel.org
  38 Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
  39 Signed-off-by: David S. Miller <davem@davemloft.net>
  40 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  41 ---
  42  net/sctp/sm_make_chunk.c |    8 ++++++++
  43  1 file changed, 8 insertions(+)
  44
  45 --- a/net/sctp/sm_make_chunk.c
  46 +++ b/net/sctp/sm_make_chunk.c
  47 @@ -2600,6 +2600,8 @@ do_addr_param:
  48         case SCTP_PARAM_STATE_COOKIE:
  49                 asoc->peer.cookie_len =
  50                         ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
  51 +               if (asoc->peer.cookie)
  52 +                       kfree(asoc->peer.cookie);
  53                 asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
  54                 if (!asoc->peer.cookie)
  55                         retval = 0;
  56 @@ -2664,6 +2666,8 @@ do_addr_param:
  57                         goto fall_through;
  58
  59                 /* Save peer's random parameter */
  60 +               if (asoc->peer.peer_random)
  61 +                       kfree(asoc->peer.peer_random);
  62                 asoc->peer.peer_random = kmemdup(param.p,
  63                                             ntohs(param.p->length), gfp);
  64                 if (!asoc->peer.peer_random) {
  65 @@ -2677,6 +2681,8 @@ do_addr_param:
  66                         goto fall_through;
  67
  68                 /* Save peer's HMAC list */
  69 +               if (asoc->peer.peer_hmacs)
  70 +                       kfree(asoc->peer.peer_hmacs);
  71                 asoc->peer.peer_hmacs = kmemdup(param.p,
  72                                             ntohs(param.p->length), gfp);
  73                 if (!asoc->peer.peer_hmacs) {
  74 @@ -2692,6 +2698,8 @@ do_addr_param:
  75                 if (!ep->auth_enable)
  76                         goto fall_through;
  77
  78 +               if (asoc->peer.peer_chunks)
  79 +                       kfree(asoc->peer.peer_chunks);
  80                 asoc->peer.peer_chunks = kmemdup(param.p,
  81                                             ntohs(param.p->length), gfp);
  82                 if (!asoc->peer.peer_chunks)