From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Xin Long <lucien.xin@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.12 087/106] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
Date: Wed, 9 Aug 2017 09:53:11 -0700 [thread overview]
Message-ID: <20170809164529.127942661@linuxfoundation.org> (raw)
In-Reply-To: <20170809164515.714288642@linuxfoundation.org>
4.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 6b84202c946cd3da3a8daa92c682510e9ed80321 ]
Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.
But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'
This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.
The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.
Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sctp/sctp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -469,7 +469,7 @@ _sctp_walk_params((pos), (chunk), ntohs(
#define _sctp_walk_params(pos, chunk, end, member)\
for (pos.v = chunk->member;\
- (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <\
+ (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <=\
(void *)chunk + end) &&\
pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
@@ -481,7 +481,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
#define _sctp_walk_errors(err, chunk_hdr, end)\
for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
sizeof(sctp_chunkhdr_t));\
- ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\
+ ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <=\
(void *)chunk_hdr + end) &&\
(void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
ntohs(err->length) >= sizeof(sctp_errhdr_t); \
next prev parent reply other threads:[~2017-08-09 17:00 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-09 16:51 [PATCH 4.12 000/106] 4.12.6-stable review Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 001/106] parisc: Increase thread and stack size to 32kb Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 002/106] parisc: Handle vmas whose context is not current in flush_cache_range Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 003/106] scsi: lpfc: fix linking against modular NVMe support Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 004/106] scsi: sg: fix SG_DXFER_FROM_DEV transfers Greg Kroah-Hartman
2017-08-10 6:14 ` Johannes Thumshirn
2017-08-10 6:14 ` Johannes Thumshirn
2017-08-10 15:11 ` Greg Kroah-Hartman
2017-08-11 7:14 ` Johannes Thumshirn
2017-08-11 7:14 ` Johannes Thumshirn
2017-08-11 15:30 ` Greg Kroah-Hartman
2017-08-11 19:36 ` Greg Kroah-Hartman
2017-08-10 8:09 ` Chris Clayton
2017-08-09 16:51 ` [PATCH 4.12 005/106] ACPI / LPSS: Only call pwm_add_table() for the first PWM controller Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 006/106] cgroup: dont call migration methods if there are no tasks to migrate Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 007/106] cgroup: create dfl_root files on subsys registration Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 008/106] cgroup: fix error return value from cgroup_subtree_control() Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 009/106] libata: array underflow in ata_find_dev() Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 010/106] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 011/106] iwlwifi: dvm: prevent an out of bounds access Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 012/106] brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 013/106] NFSv4: Fix EXCHANGE_ID corrupt verifier issue Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 014/106] mmc: sdhci-of-at91: force card detect value for non removable devices Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 015/106] mmc: core: Use device_property_read instead of of_property_read Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 016/106] mmc: dw_mmc: " Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 017/106] mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 018/106] mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page errors Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 019/106] userfaultfd: non-cooperative: notify about unmap of destination during mremap Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 020/106] userfaultfd_zeropage: return -ENOSPC in case mm has gone Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 021/106] userfaultfd: non-cooperative: flush event_wqh at release time Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 022/106] cpuset: fix a deadlock due to incomplete patching of cpusets_enabled() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 023/106] ocfs2: dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 024/106] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 027/106] ASoC: fix pcm-creation regression Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 028/106] ASoC: ux500: Restore platform DAI assignments Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 029/106] ASoC: do not close shared backend dailink Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 030/106] KVM: arm/arm64: Handle hva aging while destroying the vm Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 032/106] timers: Fix overflow in get_next_timer_interrupt Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 033/106] powerpc/tm: Fix saving of TM SPRs in core dump Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 034/106] powerpc/64: Fix __check_irq_replay missing decrementer interrupt Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 035/106] iommu/amd: Enable ga_log_intr when enabling guest_mode Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 036/106] ARM64: dts: marvell: armada-37xx: Fix the number of GPIO on south bridge Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 037/106] gpiolib: skip unwanted events, dont convert them to opposite edge Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 038/106] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 039/106] ext4: fix overflow caused by missing cast in ext4_resize_fs() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 040/106] MIPS: ralink: Fix build error due to missing header Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 041/106] clk: sunxi-ng: sun5i: Add clk_set_rate_parent to the CPU clock Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 042/106] ARM: mvebu: use __pa_symbol in the mv98dx3236 platform SMP code Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 043/106] ARM: dts: armada-38x: Fix irq type for pca955 Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 044/106] ARM: dts: tango4: Request RGMII RX and TX clock delays Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 045/106] media: pulse8-cec: persistent_config should be off by default Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 046/106] media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 047/106] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 048/106] [media] ir-spi: Fix issues with lirc API Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 049/106] tcmu: Fix flushing cmd entry dcache page Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 050/106] tcmu: Fix possbile memory leak / OOPs when recalculating cmd base size Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 052/106] ext4: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 053/106] Btrfs: fix early ENOSPC due to delalloc Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 054/106] blk-mq: Include all present CPUs in the default queue mapping Greg Kroah-Hartman
2017-08-09 16:52 ` Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 055/106] blk-mq: Create hctx for each present CPU Greg Kroah-Hartman
2017-08-09 16:52 ` Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 056/106] block: disable runtime-pm for blk-mq Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 057/106] [media] saa7164: fix double fetch PCIe access condition Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 058/106] sctp: fix an array overflow when all ext chunks are set Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 059/106] tcp_bbr: cut pacing rate only if filled pipe Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 060/106] tcp_bbr: introduce bbr_bw_to_pacing_rate() helper Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 061/106] tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 062/106] tcp_bbr: remove sk_pacing_rate=0 transient during init Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 063/106] tcp_bbr: init pacing rate on first RTT sample Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 064/106] ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 065/106] wireless: wext: terminate ifr name coming from userspace Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 066/106] net: Zero terminate ifr_name in dev_ifname() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 068/106] Revert "rtnetlink: Do not generate notifications for CHANGEADDR event" Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 069/106] ipv6: avoid overflow of offset in ip6_find_1stfragopt Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 070/106] net: dsa: b53: Add missing ARL entries for BCM53125 Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 071/106] ipv4: initialize fib_trie prior to register_netdev_notifier call Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 072/106] rtnetlink: allocate more memory for dev_set_mac_address() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 073/106] net: bonding: Fix transmit load balancing in balance-alb mode Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 074/106] mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 075/106] openvswitch: fix potential out of bound access in parse_ct Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 076/106] packet: fix use-after-free in prb_retire_rx_blk_timer_expired() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 077/106] ipv6: Dont increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 078/106] net: ethernet: nb8800: Handle all 4 RGMII modes identically Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 079/106] bonding: commit link status change after propose Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 080/106] dccp: fix a memleak that dccp_ipv6 doesnt put reqsk properly Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 081/106] dccp: fix a memleak that dccp_ipv4 " Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 082/106] dccp: fix a memleak for dccp_feat_init err process Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 083/106] net/mlx5: Consider tx_enabled in all modes on remap Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 084/106] net/mlx5: Fix command completion after timeout access invalid structure Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 085/106] net/mlx5: Fix command bad flow on command entry allocation failure Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 086/106] sctp: dont dereference ptr before leaving _sctp_walk_{params, errors}() Greg Kroah-Hartman
2017-08-09 16:53 ` Greg Kroah-Hartman [this message]
2017-08-09 16:53 ` [PATCH 4.12 088/106] net/mlx5e: IPoIB, Modify add/remove underlay QPN flows Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 089/106] net/mlx5e: Fix outer_header_zero() check size Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 090/106] net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 091/106] net/mlx5e: Add field select to MTPPS register Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 092/106] net/mlx5e: Fix broken disable 1PPS flow Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 093/106] net/mlx5e: Change 1PPS out scheme Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 094/106] net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 095/106] net/mlx5e: Fix wrong delay calculation for overflow check scheduling Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 096/106] net/mlx5e: Schedule overflow check work to mlx5e workqueue Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 097/106] net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 098/106] udp6: fix socket leak on early demux Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 099/106] net: phy: Correctly process PHY_HALTED in phy_stop_machine() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 101/106] virtio_net: fix truesize for mergeable buffers Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 102/106] sparc64: Measure receiver forward progress to avoid send mondo timeout Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 103/106] sparc64: Prevent perf from running during super critical sections Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 104/106] sparc64: Register hugepages during arch init Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 105/106] sparc64: Fix exception handling in UltraSPARC-III memcpy Greg Kroah-Hartman
[not found] ` <598b71c1.82451c0a.e2f6d.b0fa@mx.google.com>
2017-08-09 21:47 ` [PATCH 4.12 000/106] 4.12.6-stable review Greg Kroah-Hartman
2017-08-10 15:41 ` Kevin Hilman
2017-08-10 0:19 ` Shuah Khan
2017-08-10 0:42 ` Guenter Roeck
2017-08-10 2:35 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170809164529.127942661@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.