All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
@ 2018-05-02  5:37 ` Xin Long
  0 siblings, 0 replies; 8+ messages in thread
From: Xin Long @ 2018-05-02  5:37 UTC (permalink / raw)
  To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman

When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
after sctp_process_init for the new asoc, if auth is enabled for the
cookie-ack chunk, the active key should also be initialized.

Otherwise, the cookie-ack chunk made later can not be set with auth
shkey properly, and a crash can even be caused by this, as after
Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
needs to hold the shkey when making control chunks.

Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/sm_statefuns.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index dd0594a..98acfed 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
 			       GFP_ATOMIC))
 		goto nomem;
 
+	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
+		goto nomem;
+
 	/* Make sure no new addresses are being added during the
 	 * restart.  Though this is a pretty complicated attack
 	 * since you'd have to get inside the cookie.
@@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
 			       GFP_ATOMIC))
 		goto nomem;
 
+	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
+		goto nomem;
+
 	/* Update the content of current association.  */
 	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
@ 2018-05-02  5:37 ` Xin Long
  0 siblings, 0 replies; 8+ messages in thread
From: Xin Long @ 2018-05-02  5:37 UTC (permalink / raw)
  To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman

When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
after sctp_process_init for the new asoc, if auth is enabled for the
cookie-ack chunk, the active key should also be initialized.

Otherwise, the cookie-ack chunk made later can not be set with auth
shkey properly, and a crash can even be caused by this, as after
Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
needs to hold the shkey when making control chunks.

Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/sm_statefuns.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index dd0594a..98acfed 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
 			       GFP_ATOMIC))
 		goto nomem;
 
+	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
+		goto nomem;
+
 	/* Make sure no new addresses are being added during the
 	 * restart.  Though this is a pretty complicated attack
 	 * since you'd have to get inside the cookie.
@@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
 			       GFP_ATOMIC))
 		goto nomem;
 
+	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
+		goto nomem;
+
 	/* Update the content of current association.  */
 	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
  2018-05-02  5:37 ` Xin Long
@ 2018-05-02 11:38   ` Neil Horman
  -1 siblings, 0 replies; 8+ messages in thread
From: Neil Horman @ 2018-05-02 11:38 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, linux-sctp, davem, Marcelo Ricardo Leitner

On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
> 
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
> 
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/sctp/sm_statefuns.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
>  			       GFP_ATOMIC))
>  		goto nomem;
>  
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Make sure no new addresses are being added during the
>  	 * restart.  Though this is a pretty complicated attack
>  	 * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
>  			       GFP_ATOMIC))
>  		goto nomem;
>  
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Update the content of current association.  */
>  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
>  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
@ 2018-05-02 11:38   ` Neil Horman
  0 siblings, 0 replies; 8+ messages in thread
From: Neil Horman @ 2018-05-02 11:38 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, linux-sctp, davem, Marcelo Ricardo Leitner

On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
> 
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
> 
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/sctp/sm_statefuns.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
>  			       GFP_ATOMIC))
>  		goto nomem;
>  
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Make sure no new addresses are being added during the
>  	 * restart.  Though this is a pretty complicated attack
>  	 * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
>  			       GFP_ATOMIC))
>  		goto nomem;
>  
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Update the content of current association.  */
>  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
>  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
  2018-05-02  5:37 ` Xin Long
@ 2018-05-02 12:04   ` Marcelo Ricardo Leitner
  -1 siblings, 0 replies; 8+ messages in thread
From: Marcelo Ricardo Leitner @ 2018-05-02 12:04 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, linux-sctp, davem, Neil Horman

On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

> ---
>  net/sctp/sm_statefuns.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Make sure no new addresses are being added during the
>  	 * restart.  Though this is a pretty complicated attack
>  	 * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Update the content of current association.  */
>  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
>  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> --
> 2.1.0
>

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
@ 2018-05-02 12:04   ` Marcelo Ricardo Leitner
  0 siblings, 0 replies; 8+ messages in thread
From: Marcelo Ricardo Leitner @ 2018-05-02 12:04 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, linux-sctp, davem, Neil Horman

On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

> ---
>  net/sctp/sm_statefuns.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Make sure no new addresses are being added during the
>  	 * restart.  Though this is a pretty complicated attack
>  	 * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Update the content of current association.  */
>  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
>  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> --
> 2.1.0
>

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
  2018-05-02  5:37 ` Xin Long
@ 2018-05-02 15:16   ` David Miller
  -1 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2018-05-02 15:16 UTC (permalink / raw)
  To: lucien.xin; +Cc: netdev, linux-sctp, marcelo.leitner, nhorman

From: Xin Long <lucien.xin@gmail.com>
Date: Wed,  2 May 2018 13:37:44 +0800

> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
> 
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
> 
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
@ 2018-05-02 15:16   ` David Miller
  0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2018-05-02 15:16 UTC (permalink / raw)
  To: lucien.xin; +Cc: netdev, linux-sctp, marcelo.leitner, nhorman

From: Xin Long <lucien.xin@gmail.com>
Date: Wed,  2 May 2018 13:37:44 +0800

> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
> 
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
> 
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-05-02 15:16 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-02  5:37 [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b Xin Long
2018-05-02  5:37 ` Xin Long
2018-05-02 11:38 ` Neil Horman
2018-05-02 11:38   ` Neil Horman
2018-05-02 12:04 ` Marcelo Ricardo Leitner
2018-05-02 12:04   ` Marcelo Ricardo Leitner
2018-05-02 15:16 ` David Miller
2018-05-02 15:16   ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.