Date: Tue, 29 Sep 2020 09:36:07 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r366248 - head/sys/netinet Message-ID: <202009290936.08T9a7vv062087@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Tue Sep 29 09:36:06 2020 New Revision: 366248 URL: https://svnweb.freebsd.org/changeset/base/366248 Log: Improve the input validation and processing of cookies. This avoids setting the association in an inconsistent state, which could result in a use-after-free situation. This can be triggered by a malicious peer, if the peer can modify the cookie without the local endpoint recognizing it. Thanks to Ned Williamson for reporting the issue. MFC after: 3 days Modified: head/sys/netinet/sctp_input.c head/sys/netinet/sctp_pcb.c Modified: head/sys/netinet/sctp_input.c ============================================================================== --- head/sys/netinet/sctp_input.c Tue Sep 29 09:25:52 2020 (r366247) +++ head/sys/netinet/sctp_input.c Tue Sep 29 09:36:06 2020 (r366248) @@ -2032,10 +2032,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in vrf_id, port); return (NULL); } - /* get the correct sctp_nets */ - if (netp) - *netp = sctp_findnet(stcb, init_src); - asoc = &stcb->asoc; /* get scope variables out of cookie */ asoc->scope.ipv4_local_scope = cookie->ipv4_scope; @@ -2074,10 +2070,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in asoc->advanced_peer_ack_point = asoc->last_acked_seq; /* process the INIT info (peer's info) */ - if (netp) - retval = sctp_process_init(init_cp, stcb); - else - retval = 0; + retval = sctp_process_init(init_cp, stcb); if (retval < 0) { (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); @@ -2191,19 +2184,21 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in */ ; } - /* since we did not send a HB make sure we don't double things */ - if ((netp) && (*netp)) - (*netp)->hb_responded = 1; - if (stcb->asoc.sctp_autoclose_ticks && sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); } (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); - if ((netp != NULL) && (*netp != NULL)) { + *netp = sctp_findnet(stcb, init_src); + if (*netp != NULL) { struct timeval old; - /* calculate the RTT and set the encaps port */ + /* + * Since we did not send a HB, make sure we don't double + * things. + */ + (*netp)->hb_responded = 1; + /* Calculate the RTT. */ old.tv_sec = cookie->time_entered.tv_sec; old.tv_usec = cookie->time_entered.tv_usec; sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA); Modified: head/sys/netinet/sctp_pcb.c ============================================================================== --- head/sys/netinet/sctp_pcb.c Tue Sep 29 09:25:52 2020 (r366247) +++ head/sys/netinet/sctp_pcb.c Tue Sep 29 09:36:06 2020 (r366248) @@ -4242,7 +4242,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd if ((ntohs(sin->sin_port) == 0) || (sin->sin_addr.s_addr == INADDR_ANY) || (sin->sin_addr.s_addr == INADDR_BROADCAST) || - IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) { + IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) || + (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) != 0) && + (SCTP_IPV6_V6ONLY(inp) != 0))) { /* Invalid address */ SCTP_INP_RUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL); @@ -4261,7 +4263,8 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd sin6 = (struct sockaddr_in6 *)firstaddr; if ((ntohs(sin6->sin6_port) == 0) || IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) || - IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { + IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) || + ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0)) { /* Invalid address */ SCTP_INP_RUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009290936.08T9a7vv062087>