From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Subject: Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a
 and dupcook_b
Date: Wed, 2 May 2018 09:04:25 -0300
Message-ID: <20180502120425.GF4977@localhost.localdomain>
References: <96c2191206cb67ccec250ca1ec66d83dc9f40c9a.1525239464.git.lucien.xin@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org,
        davem@davemloft.net, Neil Horman <nhorman@tuxdriver.com>
To: Xin Long <lucien.xin@gmail.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-qt0-f196.google.com ([209.85.216.196]:44120 "EHLO
        mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751216AbeEBME3 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 2 May 2018 08:04:29 -0400
Content-Disposition: inline
In-Reply-To: <96c2191206cb67ccec250ca1ec66d83dc9f40c9a.1525239464.git.lucien.xin@gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

> ---
>  net/sctp/sm_statefuns.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Make sure no new addresses are being added during the
>  	 * restart.  Though this is a pretty complicated attack
>  	 * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Update the content of current association.  */
>  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
>  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> --
> 2.1.0
>

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date: Wed, 02 May 2018 12:04:25 +0000
Subject: Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
Message-Id: <20180502120425.GF4977@localhost.localdomain>
List-Id: <linux-sctp.vger.kernel.org>
References: <96c2191206cb67ccec250ca1ec66d83dc9f40c9a.1525239464.git.lucien.xin@gmail.com>
In-Reply-To: <96c2191206cb67ccec250ca1ec66d83dc9f40c9a.1525239464.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org, davem@davemloft.net, Neil Horman <nhorman@tuxdriver.com>

On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

> ---
>  net/sctp/sm_statefuns.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Make sure no new addresses are being added during the
>  	 * restart.  Though this is a pretty complicated attack
>  	 * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
>  			       GFP_ATOMIC))
>  		goto nomem;
>
> +	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> +		goto nomem;
> +
>  	/* Update the content of current association.  */
>  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
>  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> --
> 2.1.0
>