From owner-svn-src-stable-12@freebsd.org Fri Dec 18 10:13:29 2020 Return-Path: Delivered-To: svn-src-stable-12@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8F6314B4C17; Fri, 18 Dec 2020 10:13:29 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cy4Sn3d5jz4Vh9; Fri, 18 Dec 2020 10:13:29 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6F1A2E7A; Fri, 18 Dec 2020 10:13:29 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0BIADTEg018452; Fri, 18 Dec 2020 10:13:29 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0BIADT6N018451; Fri, 18 Dec 2020 10:13:29 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <202012181013.0BIADT6N018451@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Fri, 18 Dec 2020 10:13:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r368757 - stable/12/sys/netinet X-SVN-Group: stable-12 X-SVN-Commit-Author: tuexen X-SVN-Commit-Paths: stable/12/sys/netinet X-SVN-Commit-Revision: 368757 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-12@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for only the 12-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2020 10:13:29 -0000 Author: tuexen Date: Fri Dec 18 10:13:28 2020 New Revision: 368757 URL: https://svnweb.freebsd.org/changeset/base/368757 Log: MFC r368593: Clean up more resouces of an existing SCTP association in case of a restart. This fixes a use-after-free scenario, which was reported by Felix Wilhelm from Google in case a peer is able to modify the cookie. However, this can also be triggered by an assciation restart under some specific conditions. MFC r368622: Harden the handling of outgoing streams in case of an restart or INIT collision. This avouds an out-of-bounce access in case the peer can break the cookie signature. Thanks to Felix Wilhelm from Google for reporting the issue. Modified: stable/12/sys/netinet/sctp_input.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/sctp_input.c ============================================================================== --- stable/12/sys/netinet/sctp_input.c Fri Dec 18 10:09:21 2020 (r368756) +++ stable/12/sys/netinet/sctp_input.c Fri Dec 18 10:13:28 2020 (r368757) @@ -1433,6 +1433,11 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle struct sctp_association *asoc; struct sctp_init_chunk *init_cp, init_buf; struct sctp_init_ack_chunk *initack_cp, initack_buf; + struct sctp_asconf_addr *aparam, *naparam; + struct sctp_asconf_ack *aack, *naack; + struct sctp_tmit_chunk *chk, *nchk; + struct sctp_stream_reset_list *strrst, *nstrrst; + struct sctp_queued_to_read *sq, *nsq; struct sctp_nets *net; struct mbuf *op_err; struct timeval old; @@ -1700,7 +1705,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle NULL); } asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); - asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); + if (asoc->pre_open_streams < asoc->streamoutcnt) { + asoc->pre_open_streams = asoc->streamoutcnt; + } if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { /* @@ -1711,7 +1718,6 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle * still take a timeout to move these.. but it can't * hurt to mark them. */ - struct sctp_tmit_chunk *chk; TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { if (chk->sent < SCTP_DATAGRAM_RESEND) { @@ -1834,7 +1840,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle /* move to OPEN state, if not in SHUTDOWN_SENT */ SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); } - asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); + if (asoc->pre_open_streams < asoc->streamoutcnt) { + asoc->pre_open_streams = asoc->streamoutcnt; + } asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; @@ -1875,6 +1883,57 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle stcb->asoc.strmout[i].next_mid_unordered = 0; stcb->asoc.strmout[i].last_msg_incomplete = 0; } + TAILQ_FOREACH_SAFE(strrst, &asoc->resetHead, next_resp, nstrrst) { + TAILQ_REMOVE(&asoc->resetHead, strrst, next_resp); + SCTP_FREE(strrst, SCTP_M_STRESET); + } + TAILQ_FOREACH_SAFE(sq, &asoc->pending_reply_queue, next, nsq) { + TAILQ_REMOVE(&asoc->pending_reply_queue, sq, next); + if (sq->data) { + sctp_m_freem(sq->data); + sq->data = NULL; + } + sctp_free_remote_addr(sq->whoFrom); + sq->whoFrom = NULL; + sq->stcb = NULL; + sctp_free_a_readq(stcb, sq); + } + TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) { + TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next); + if (chk->data) { + sctp_m_freem(chk->data); + chk->data = NULL; + } + if (chk->holds_key_ref) + sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED); + sctp_free_remote_addr(chk->whoTo); + SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk); + SCTP_DECR_CHK_COUNT(); + } + TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) { + TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next); + if (chk->data) { + sctp_m_freem(chk->data); + chk->data = NULL; + } + if (chk->holds_key_ref) + sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED); + sctp_free_remote_addr(chk->whoTo); + SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk); + SCTP_DECR_CHK_COUNT(); + } + TAILQ_FOREACH_SAFE(aparam, &asoc->asconf_queue, next, naparam) { + TAILQ_REMOVE(&asoc->asconf_queue, aparam, next); + SCTP_FREE(aparam, SCTP_M_ASC_ADDR); + } + TAILQ_FOREACH_SAFE(aack, &asoc->asconf_ack_sent, next, naack) { + TAILQ_REMOVE(&asoc->asconf_ack_sent, aack, next); + if (aack->data != NULL) { + sctp_m_freem(aack->data); + } + SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asconf_ack), aack); + } + /* process the INIT-ACK info (my info) */ asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); @@ -2061,7 +2120,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in /* process the INIT-ACK info (my info) */ asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); - asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;