Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Oct 2022 17:33:25 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 267476] SctpAlias() can pass a NULL assoc which ProcessSctpMsg() dereferences
Message-ID:  <bug-267476-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267476

            Bug ID: 267476
           Summary: SctpAlias() can pass a NULL assoc which
                    ProcessSctpMsg() dereferences
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237765 text/plain
         mime type:

Created attachment 237765
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237765&action=
=3Dedit
trigger NULL dereference in kernel LibAlias's SctpAlias()

In sys/netinet/libalias/alias_sctp.c, if SctpAlias()'s call to
sctp_PktParser() returns SN_PARSE_ERROR_CHHL, and the IP_MF bit is
set, then SctpAlias() ignores the error. However, sctp_PktParser()
doesn't always set assoc in this situation, in which case SctpAlias()
passes the NULL assoc to ProcessSctpMsg(), which tries to dereference
it.

Here's a demo, via netgraph's ng_nat:

# cc ng50a.c -lnetgraph
# ./a.out
panic: Fatal page fault at 0xffffffc0004fbf7e: 0x00000000000018
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval =3D 0x18
ProcessSctpMsg() at ProcessSctpMsg+0xc
SctpAlias() at SctpAlias+0x158
LibAliasOutLocked() at LibAliasOutLocked+0x176
LibAliasOut() at LibAliasOut+0x42
ng_nat_rcvdata() at ng_nat_rcvdata+0x220
ng_apply_item() at ng_apply_item+0x130
ng_snd_item() at ng_snd_item+0x1bc
ngd_send() at ngd_send+0xf8
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267476-227>