All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sasha.levin@oracle.com>
To: stable@vger.kernel.org, stable-commits@vger.kernel.org
Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	"David S. Miller" <davem@davemloft.net>,
	Sasha Levin <sasha.levin@oracle.com>
Subject: [added to the 3.18 stable tree] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
Date: Tue, 16 Jun 2015 07:56:49 -0400	[thread overview]
Message-ID: <1434455817-18729-21-git-send-email-sasha.levin@oracle.com> (raw)
In-Reply-To: <1434455817-18729-1-git-send-email-sasha.levin@oracle.com>

From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>

This patch has been added to the 3.18 stable tree. If you have any
objections, please let us know.

===============

[ Upstream commit 9302d7bb0c5cd46be5706859301f18c137b2439f ]

sctp_v4_map_v6 was subtly writing and reading from members
of a union in a way the clobbered data it needed to read before
it read it.

Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
result.

Reorder things to guarantee correct behaviour no matter what the
union layout is.

This impacts user space clients that open an IPv6 SCTP socket and
receive IPv4 connections. Prior to 299ee user space would see a
sockaddr with AF_INET and a correct address, after 299ee the sockaddr
is AF_INET6, but the address is wrong.

Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
 include/net/sctp/sctp.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index 856f01c..230775f 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -571,11 +571,14 @@ static inline void sctp_v6_map_v4(union sctp_addr *addr)
 /* Map v4 address to v4-mapped v6 address */
 static inline void sctp_v4_map_v6(union sctp_addr *addr)
 {
+	__be16 port;
+
+	port = addr->v4.sin_port;
+	addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
+	addr->v6.sin6_port = port;
 	addr->v6.sin6_family = AF_INET6;
 	addr->v6.sin6_flowinfo = 0;
 	addr->v6.sin6_scope_id = 0;
-	addr->v6.sin6_port = addr->v4.sin_port;
-	addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
 	addr->v6.sin6_addr.s6_addr32[0] = 0;
 	addr->v6.sin6_addr.s6_addr32[1] = 0;
 	addr->v6.sin6_addr.s6_addr32[2] = htonl(0x0000ffff);
-- 
2.1.0


  parent reply	other threads:[~2015-06-16 11:57 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-16 11:56 [added to the 3.18 stable tree] Revert "tools/vm: fix page-flags build" Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] ARM: 8221/1: PJ4: allow building in Thumb-2 mode Sasha Levin
2015-06-16 12:31   ` Ard Biesheuvel
2015-06-16 11:56 ` [added to the 3.18 stable tree] fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net: core: Correct an over-stringent device loop detection Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] x86: bpf_jit: fix FROM_BE16 and FROM_LE16/32 instructions Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] x86: bpf_jit: fix compilation of large bpf programs Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net: phy: Allow EEE for all RGMII variants Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] rtnl/bond: don't send rtnl msg for unregistered iface Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] tcp/ipv6: fix flow label setting in TIME_WAIT state Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net/ipv6/udp: Fix ipv6 multicast socket filter regression Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net: sched: fix call_rcu() race on classifier module unloads Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] ipv4: Avoid crashing in ip_error Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] cdc_ncm: Fix tx_bytes statistics Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] bridge: fix parsing of MLDv2 reports Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net: dp83640: fix broken calibration routine Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net: dp83640: reinforce locking rules Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net: dp83640: fix improper double spin locking Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] unix/caif: sk_socket can disappear when state is unlocked Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] xen/netback: Properly initialize credit_bytes Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] net_sched: invoke ->attach() after setting dev->qdisc Sasha Levin
2015-06-16 11:56 ` Sasha Levin [this message]
2015-06-16 11:56 ` [added to the 3.18 stable tree] bridge: fix br_multicast_query_expired() bug Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] udp: fix behavior of wrong checksums Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] tcp: fix child sockets to use system default congestion control if not set Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] xen: netback: read hotplug script once at start of day Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] be2net: Replace dma/pci_alloc_coherent() calls with dma_zalloc_coherent() Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] bridge: disable softirqs around br_fdb_update to avoid lockup Sasha Levin
2015-06-16 11:56 ` [added to the 3.18 stable tree] crush: ensuring at most num-rep osds are selected Sasha Levin
2015-06-22 13:19 ` [added to the 3.18 stable tree] Revert "tools/vm: fix page-flags build" Luis Henriques
2015-06-23 14:13   ` Sasha Levin
2015-06-23 16:08     ` Luis Henriques
2015-06-23 16:46     ` Kamal Mostafa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1434455817-18729-21-git-send-email-sasha.levin@oracle.com \
    --to=sasha.levin@oracle.com \
    --cc=davem@davemloft.net \
    --cc=jgunthorpe@obsidianresearch.com \
    --cc=stable-commits@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.