| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Nov 2017 10:35:00 +0900 (KST)
From: David Miller <davem@...emloft.net>
To: lucien.xin@...il.com
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
marcelo.leitner@...il.com, nhorman@...driver.com,
syzkaller@...glegroups.com, liuhangbin@...il.com
Subject: Re: [PATCH net] sctp: set frag_point in sctp_setsockopt_maxseg
correctly
From: Xin Long <lucien.xin@...il.com>
Date: Fri, 17 Nov 2017 14:11:11 +0800
> Now in sctp_setsockopt_maxseg user_frag or frag_point can be set with
> val >= 8 and val <= SCTP_MAX_CHUNK_LEN. But both checks are incorrect.
>
> val >= 8 means frag_point can even be less than SCTP_DEFAULT_MINSEGMENT.
> Then in sctp_datamsg_from_user(), when it's value is greater than cookie
> echo len and trying to bundle with cookie echo chunk, the first_len will
> overflow.
>
> The worse case is when it's value is equal as cookie echo len, first_len
> becomes 0, it will go into a dead loop for fragment later on. In Hangbin
> syzkaller testing env, oom was even triggered due to consecutive memory
> allocation in that loop.
>
> Besides, SCTP_MAX_CHUNK_LEN is the max size of the whole chunk, it should
> deduct the data header for frag_point or user_frag check.
>
> This patch does a proper check with SCTP_DEFAULT_MINSEGMENT subtracting
> the sctphdr and datahdr, SCTP_MAX_CHUNK_LEN subtracting datahdr when
> setting frag_point via sockopt. It also improves sctp_setsockopt_maxseg
> codes.
>
> Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> Reported-by: Hangbin Liu <liuhangbin@...il.com>
> Signed-off-by: Xin Long <lucien.xin@...il.com>
Applied.
Powered by blists - more mailing lists