lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46A8E027.10802@hp.com>
Date:	Thu, 26 Jul 2007 13:55:51 -0400
From:	Vlad Yasevich <vladislav.yasevich@...com>
To:	Dave Johnson <djohnson+linux-kernel@...starentnetworks.com>
Cc:	lksctp-developers@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org,
	Srinivas Akkipeddi <sakkiped@...rentnetworks.com>
Subject: Re: [PATCH] SCTP: IPv4 mapped addr not returned in SCTPv6 accept()

Dave Johnson wrote:
> An accept() call on a SCTPv6 socket that returns due to connection of
> a IPv4 mapped peer will fill out the 'struct sockaddr' with a zero
> IPv6 address instead of the IPv4 mapped address of the peer.
> 
> This is due to the v4mapped flag not getting copied into the new
> socket on accept() as well as a missing check for INET6 socket type in
> sctp_v4_to_sk_*addr().
> 
> Signed-off-by: Dave Johnson <djohnson+linux-kernel@...starentnetworks.com>
> Cc: Srinivas Akkipeddi <sakkiped@...rentnetworks.com>
> 
> ===== net/sctp/ipv6.c 1.108 vs edited =====
> --- 1.108/net/sctp/ipv6.c	2007-07-05 20:40:15 -04:00
> +++ edited/net/sctp/ipv6.c	2007-07-25 16:30:41 -04:00
> @@ -641,6 +641,8 @@
>  	newsctp6sk = (struct sctp6_sock *)newsk;
>  	inet_sk(newsk)->pinet6 = &newsctp6sk->inet6;
>  
> +	sctp_sk(newsk)->v4mapped = sctp_sk(sk)->v4mapped;
> +
>  	newinet = inet_sk(newsk);
>  	newnp = inet6_sk(newsk);
>  
> ===== net/sctp/protocol.c 1.130 vs edited =====
> --- 1.130/net/sctp/protocol.c	2007-05-04 16:36:30 -04:00
> +++ edited/net/sctp/protocol.c	2007-07-25 16:28:21 -04:00
> @@ -257,13 +257,28 @@
>  /* Initialize sk->sk_rcv_saddr from sctp_addr. */
>  static void sctp_v4_to_sk_saddr(union sctp_addr *addr, struct sock *sk)
>  {
> -	inet_sk(sk)->rcv_saddr = addr->v4.sin_addr.s_addr;
> +	if ((sk->sk_family == PF_INET6) && (sctp_sk(sk)->v4mapped)) {
> +		inet6_sk(sk)->rcv_saddr.s6_addr32[0] = 0;
> +		inet6_sk(sk)->rcv_saddr.s6_addr32[1] = 0;
> +		inet6_sk(sk)->rcv_saddr.s6_addr32[2] = htonl(0x0000ffff);
> +		inet6_sk(sk)->rcv_saddr.s6_addr32[3] =
> +			addr->v4.sin_addr.s_addr;
> +	} else {
> +		inet_sk(sk)->rcv_saddr = addr->v4.sin_addr.s_addr;
> +	}
>  }
>  
>  /* Initialize sk->sk_daddr from sctp_addr. */
>  static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
>  {
> -	inet_sk(sk)->daddr = addr->v4.sin_addr.s_addr;
> +	if ((sk->sk_family == PF_INET6) && (sctp_sk(sk)->v4mapped)) {
> +		inet6_sk(sk)->daddr.s6_addr32[0] = 0;
> +		inet6_sk(sk)->daddr.s6_addr32[1] = 0;
> +		inet6_sk(sk)->daddr.s6_addr32[2] = htonl(0x0000ffff);
> +		inet6_sk(sk)->daddr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
> +	} else {
> +		inet_sk(sk)->daddr = addr->v4.sin_addr.s_addr;
> +	}
>  }
>  
>  /* Initialize a sctp_addr from an address parameter. */
> @@ -557,6 +572,8 @@
>  	newsk->sk_protocol = IPPROTO_SCTP;
>  	newsk->sk_backlog_rcv = sk->sk_prot->backlog_rcv;
>  	sock_reset_flag(newsk, SOCK_ZAPPED);
> +
> +	sctp_sk(newsk)->v4mapped = sctp_sk(sk)->v4mapped;
>  
>  	newinet = inet_sk(newsk);
>  
> 

Can you explain why the sctp_v4 changes are need for the this case?
I don't see how the code in sctp/protocol.c comes into play for this
particular bug.

Thanks
-vlad

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ