Date: Thu, 1 Oct 2020 18:17:57 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r366335 - releng/12.2/sys/netinet Message-ID: <202010011817.091IHvWe093090@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu Oct 1 18:17:56 2020 New Revision: 366335 URL: https://svnweb.freebsd.org/changeset/base/366335 Log: MFS r366324: Improve the handling of receiving unordered and unreliable user messages using DATA chunks. Don't use fsn_included when not being sure that it is set to an appropriate value. If the default is used, which is -1, this can result in SCTP associaitons not making any user visible progress. Thanks to Yutaka Takeda for reporting this issue for the the userland stack in https://github.com/pion/sctp/issues/138. MFS r366329: Improve the input validation and processing of cookies. This avoids setting the association in an inconsistent state, which could result in a use-after-free situation. This can be triggered by a malicious peer, if the peer can modify the cookie without the local endpoint recognizing it. Thanks to Ned Williamson for reporting the issue. Approved by: re (gjb) Modified: releng/12.2/sys/netinet/sctp_indata.c releng/12.2/sys/netinet/sctp_input.c releng/12.2/sys/netinet/sctp_pcb.c Directory Properties: releng/12.2/ (props changed) Modified: releng/12.2/sys/netinet/sctp_indata.c ============================================================================== --- releng/12.2/sys/netinet/sctp_indata.c Thu Oct 1 17:49:10 2020 (r366334) +++ releng/12.2/sys/netinet/sctp_indata.c Thu Oct 1 18:17:56 2020 (r366335) @@ -5437,7 +5437,9 @@ sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb, * it can be delivered... But for now we just dump everything on the * queue. */ - if (!asoc->idata_supported && !ordered && SCTP_TSN_GT(control->fsn_included, cumtsn)) { + if (!asoc->idata_supported && !ordered && + control->first_frag_seen && + SCTP_TSN_GT(control->fsn_included, cumtsn)) { return; } TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) { Modified: releng/12.2/sys/netinet/sctp_input.c ============================================================================== --- releng/12.2/sys/netinet/sctp_input.c Thu Oct 1 17:49:10 2020 (r366334) +++ releng/12.2/sys/netinet/sctp_input.c Thu Oct 1 18:17:56 2020 (r366335) @@ -2040,10 +2040,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in vrf_id, port); return (NULL); } - /* get the correct sctp_nets */ - if (netp) - *netp = sctp_findnet(stcb, init_src); - asoc = &stcb->asoc; /* get scope variables out of cookie */ asoc->scope.ipv4_local_scope = cookie->ipv4_scope; @@ -2082,10 +2078,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in asoc->advanced_peer_ack_point = asoc->last_acked_seq; /* process the INIT info (peer's info) */ - if (netp) - retval = sctp_process_init(init_cp, stcb); - else - retval = 0; + retval = sctp_process_init(init_cp, stcb); if (retval < 0) { (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); @@ -2199,19 +2192,21 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in */ ; } - /* since we did not send a HB make sure we don't double things */ - if ((netp) && (*netp)) - (*netp)->hb_responded = 1; - if (stcb->asoc.sctp_autoclose_ticks && sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); } (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); - if ((netp != NULL) && (*netp != NULL)) { + *netp = sctp_findnet(stcb, init_src); + if (*netp != NULL) { struct timeval old; - /* calculate the RTT and set the encaps port */ + /* + * Since we did not send a HB, make sure we don't double + * things. + */ + (*netp)->hb_responded = 1; + /* Calculate the RTT. */ old.tv_sec = cookie->time_entered.tv_sec; old.tv_usec = cookie->time_entered.tv_usec; sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA); Modified: releng/12.2/sys/netinet/sctp_pcb.c ============================================================================== --- releng/12.2/sys/netinet/sctp_pcb.c Thu Oct 1 17:49:10 2020 (r366334) +++ releng/12.2/sys/netinet/sctp_pcb.c Thu Oct 1 18:17:56 2020 (r366335) @@ -4293,7 +4293,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd if ((ntohs(sin->sin_port) == 0) || (sin->sin_addr.s_addr == INADDR_ANY) || (sin->sin_addr.s_addr == INADDR_BROADCAST) || - IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) { + IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) || + (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) != 0) && + (SCTP_IPV6_V6ONLY(inp) != 0))) { /* Invalid address */ SCTP_INP_RUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL); @@ -4312,7 +4314,8 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd sin6 = (struct sockaddr_in6 *)firstaddr; if ((ntohs(sin6->sin6_port) == 0) || IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) || - IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { + IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) || + ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0)) { /* Invalid address */ SCTP_INP_RUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010011817.091IHvWe093090>