All of lore.kernel.org
 help / color / mirror / Atom feed
From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>,
	davem@davemloft.net, kuba@kernel.org, linux-sctp@vger.kernel.org
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	michael.tuexen@lurchi.franken.de
Subject: [PATCH net 0/7] sctp: enhancements for the verification tag
Date: Wed, 20 Oct 2021 07:42:40 -0400	[thread overview]
Message-ID: <cover.1634730082.git.lucien.xin@gmail.com> (raw)

This patchset is to address CVE-2021-3772:

  A flaw was found in the Linux SCTP stack. A blind attacker may be able to
  kill an existing SCTP association through invalid chunks if the attacker
  knows the IP-addresses and port numbers being used and the attacker can
  send packets with spoofed IP addresses.

This is caused by the missing VTAG verification for the received chunks
and the incorrect vtag for the ABORT used to reply to these invalid
chunks.

This patchset is to go over all processing functions for the received
chunks and do:

1. Make sure sctp_vtag_verify() is called firstly to verify the vtag from
   the received chunk and discard this chunk if it fails. With some
   exceptions:

   a. sctp_sf_do_5_1B_init()/5_2_2_dupinit()/9_2_reshutack(), processing
      INIT chunk, as sctphdr vtag is always 0 in INIT chunk.

   b. sctp_sf_do_5_2_4_dupcook(), processing dupicate COOKIE_ECHO chunk,
      as the vtag verification will be done by sctp_tietags_compare() and
      then it takes right actions according to the return.

   c. sctp_sf_shut_8_4_5(), processing SHUTDOWN_ACK chunk for cookie_wait
      and cookie_echoed state, as RFC demand sending a SHUTDOWN_COMPLETE
      even if the vtag verification failed.

   d. sctp_sf_ootb(), called in many types of chunks for closed state or
      no asoc, as the same reason to c.

2. Always use the vtag from the received INIT chunk to make the response
   ABORT in sctp_ootb_pkt_new().

3. Fix the order for some checks and add some missing checks for the
   received chunk.

This patch series has been tested with SCTP TAHI testing to make sure no
regression caused on protocol conformance.

Xin Long (7):
  sctp: use init_tag from inithdr for ABORT chunk
  sctp: fix the processing for INIT chunk
  sctp: fix the processing for INIT_ACK chunk
  sctp: fix the processing for COOKIE_ECHO chunk
  sctp: add vtag check in sctp_sf_violation
  sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
  sctp: add vtag check in sctp_sf_ootb

 net/sctp/sm_statefuns.c | 139 ++++++++++++++++++++++++----------------
 1 file changed, 85 insertions(+), 54 deletions(-)

-- 
2.27.0


             reply	other threads:[~2021-10-20 11:42 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-20 11:42 Xin Long [this message]
2021-10-20 11:42 ` [PATCH net 1/7] sctp: use init_tag from inithdr for ABORT chunk Xin Long
2021-10-20 11:42 ` [PATCH net 2/7] sctp: fix the processing for INIT chunk Xin Long
2021-10-20 11:42 ` [PATCH net 3/7] sctp: fix the processing for INIT_ACK chunk Xin Long
2021-10-20 11:42 ` [PATCH net 4/7] sctp: fix the processing for COOKIE_ECHO chunk Xin Long
2021-10-20 11:42 ` [PATCH net 5/7] sctp: add vtag check in sctp_sf_violation Xin Long
2021-10-20 11:42 ` [PATCH net 6/7] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa Xin Long
2021-10-20 11:42 ` [PATCH net 7/7] sctp: add vtag check in sctp_sf_ootb Xin Long
2021-10-20 23:23 ` [PATCH net 0/7] sctp: enhancements for the verification tag Marcelo Ricardo Leitner
2021-10-22  1:45 ` Marcelo Ricardo Leitner
2021-10-22 23:38   ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1634730082.git.lucien.xin@gmail.com \
    --to=lucien.xin@gmail.com \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=marcelo.leitner@gmail.com \
    --cc=michael.tuexen@lurchi.franken.de \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.