* [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
@ 2018-05-02 5:37 Xin Long
2018-05-02 11:38 ` Neil Horman
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Xin Long @ 2018-05-02 5:37 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman
When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
after sctp_process_init for the new asoc, if auth is enabled for the
cookie-ack chunk, the active key should also be initialized.
Otherwise, the cookie-ack chunk made later can not be set with auth
shkey properly, and a crash can even be caused by this, as after
Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
needs to hold the shkey when making control chunks.
Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/sctp/sm_statefuns.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index dd0594a..98acfed 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
GFP_ATOMIC))
goto nomem;
+ if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
+ goto nomem;
+
/* Make sure no new addresses are being added during the
* restart. Though this is a pretty complicated attack
* since you'd have to get inside the cookie.
@@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
GFP_ATOMIC))
goto nomem;
+ if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
+ goto nomem;
+
/* Update the content of current association. */
sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
--
2.1.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
2018-05-02 5:37 [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b Xin Long
@ 2018-05-02 11:38 ` Neil Horman
2018-05-02 12:04 ` Marcelo Ricardo Leitner
2018-05-02 15:16 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Neil Horman @ 2018-05-02 11:38 UTC (permalink / raw)
To: Xin Long; +Cc: network dev, linux-sctp, davem, Marcelo Ricardo Leitner
On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
> net/sctp/sm_statefuns.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
> GFP_ATOMIC))
> goto nomem;
>
> + if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> + goto nomem;
> +
> /* Make sure no new addresses are being added during the
> * restart. Though this is a pretty complicated attack
> * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
> GFP_ATOMIC))
> goto nomem;
>
> + if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> + goto nomem;
> +
> /* Update the content of current association. */
> sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
> sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> --
> 2.1.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
2018-05-02 5:37 [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b Xin Long
2018-05-02 11:38 ` Neil Horman
@ 2018-05-02 12:04 ` Marcelo Ricardo Leitner
2018-05-02 15:16 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Marcelo Ricardo Leitner @ 2018-05-02 12:04 UTC (permalink / raw)
To: Xin Long; +Cc: network dev, linux-sctp, davem, Neil Horman
On Wed, May 02, 2018 at 01:37:44PM +0800, Xin Long wrote:
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
> net/sctp/sm_statefuns.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index dd0594a..98acfed 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -1794,6 +1794,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
> GFP_ATOMIC))
> goto nomem;
>
> + if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> + goto nomem;
> +
> /* Make sure no new addresses are being added during the
> * restart. Though this is a pretty complicated attack
> * since you'd have to get inside the cookie.
> @@ -1906,6 +1909,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
> GFP_ATOMIC))
> goto nomem;
>
> + if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
> + goto nomem;
> +
> /* Update the content of current association. */
> sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
> sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
> --
> 2.1.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b
2018-05-02 5:37 [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b Xin Long
2018-05-02 11:38 ` Neil Horman
2018-05-02 12:04 ` Marcelo Ricardo Leitner
@ 2018-05-02 15:16 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2018-05-02 15:16 UTC (permalink / raw)
To: lucien.xin; +Cc: netdev, linux-sctp, marcelo.leitner, nhorman
From: Xin Long <lucien.xin@gmail.com>
Date: Wed, 2 May 2018 13:37:44 +0800
> When processing a duplicate cookie-echo chunk, for case 'A' and 'B',
> after sctp_process_init for the new asoc, if auth is enabled for the
> cookie-ack chunk, the active key should also be initialized.
>
> Otherwise, the cookie-ack chunk made later can not be set with auth
> shkey properly, and a crash can even be caused by this, as after
> Commit 1b1e0bc99474 ("sctp: add refcnt support for sh_key"), sctp
> needs to hold the shkey when making control chunks.
>
> Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
> Reported-by: Jianwen Ji <jiji@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-05-02 15:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-02 5:37 [PATCH net] sctp: init active key for the new asoc in dupcook_a and dupcook_b Xin Long
2018-05-02 11:38 ` Neil Horman
2018-05-02 12:04 ` Marcelo Ricardo Leitner
2018-05-02 15:16 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).