From owner-svn-src-stable@freebsd.org Thu Oct 1 16:53:17 2020 Return-Path: Delivered-To: svn-src-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0A29F42D6EE; Thu, 1 Oct 2020 16:53:17 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C2K246bgwz4NsW; Thu, 1 Oct 2020 16:53:16 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C5D4A13CEB; Thu, 1 Oct 2020 16:53:16 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 091GrG06043019; Thu, 1 Oct 2020 16:53:16 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 091GrGjS043017; Thu, 1 Oct 2020 16:53:16 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <202010011653.091GrGjS043017@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Thu, 1 Oct 2020 16:53:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r366329 - stable/12/sys/netinet X-SVN-Group: stable-12 X-SVN-Commit-Author: tuexen X-SVN-Commit-Paths: stable/12/sys/netinet X-SVN-Commit-Revision: 366329 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2020 16:53:17 -0000 Author: tuexen Date: Thu Oct 1 16:53:16 2020 New Revision: 366329 URL: https://svnweb.freebsd.org/changeset/base/366329 Log: MFC r366248: Improve the input validation and processing of cookies. This avoids setting the association in an inconsistent state, which could result in a use-after-free situation. This can be triggered by a malicious peer, if the peer can modify the cookie without the local endpoint recognizing it. Thanks to Ned Williamson for reporting the issue. Modified: stable/12/sys/netinet/sctp_input.c stable/12/sys/netinet/sctp_pcb.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/sctp_input.c ============================================================================== --- stable/12/sys/netinet/sctp_input.c Thu Oct 1 16:45:11 2020 (r366328) +++ stable/12/sys/netinet/sctp_input.c Thu Oct 1 16:53:16 2020 (r366329) @@ -2040,10 +2040,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in vrf_id, port); return (NULL); } - /* get the correct sctp_nets */ - if (netp) - *netp = sctp_findnet(stcb, init_src); - asoc = &stcb->asoc; /* get scope variables out of cookie */ asoc->scope.ipv4_local_scope = cookie->ipv4_scope; @@ -2082,10 +2078,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in asoc->advanced_peer_ack_point = asoc->last_acked_seq; /* process the INIT info (peer's info) */ - if (netp) - retval = sctp_process_init(init_cp, stcb); - else - retval = 0; + retval = sctp_process_init(init_cp, stcb); if (retval < 0) { (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); @@ -2199,19 +2192,21 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in */ ; } - /* since we did not send a HB make sure we don't double things */ - if ((netp) && (*netp)) - (*netp)->hb_responded = 1; - if (stcb->asoc.sctp_autoclose_ticks && sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); } (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); - if ((netp != NULL) && (*netp != NULL)) { + *netp = sctp_findnet(stcb, init_src); + if (*netp != NULL) { struct timeval old; - /* calculate the RTT and set the encaps port */ + /* + * Since we did not send a HB, make sure we don't double + * things. + */ + (*netp)->hb_responded = 1; + /* Calculate the RTT. */ old.tv_sec = cookie->time_entered.tv_sec; old.tv_usec = cookie->time_entered.tv_usec; sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA); Modified: stable/12/sys/netinet/sctp_pcb.c ============================================================================== --- stable/12/sys/netinet/sctp_pcb.c Thu Oct 1 16:45:11 2020 (r366328) +++ stable/12/sys/netinet/sctp_pcb.c Thu Oct 1 16:53:16 2020 (r366329) @@ -4291,7 +4291,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd if ((ntohs(sin->sin_port) == 0) || (sin->sin_addr.s_addr == INADDR_ANY) || (sin->sin_addr.s_addr == INADDR_BROADCAST) || - IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) { + IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) || + (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) != 0) && + (SCTP_IPV6_V6ONLY(inp) != 0))) { /* Invalid address */ SCTP_INP_RUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL); @@ -4310,7 +4312,8 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd sin6 = (struct sockaddr_in6 *)firstaddr; if ((ntohs(sin6->sin6_port) == 0) || IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) || - IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { + IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) || + ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0)) { /* Invalid address */ SCTP_INP_RUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);