| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jun 2018 15:21:47 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: Ben Hutchings <ben.hutchings@...ethink.co.uk>
Cc: Xin Long <lucien.xin@...il.com>,
Neil Horman <nhorman@...driver.com>, stable@...r.kernel.org,
"David S. Miller" <davem@...emloft.net>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 4.4 19/92] sctp: delay the authentication for the
duplicated cookie-echo chunk
On Wed, Jun 06, 2018 at 11:31:47PM +0100, Ben Hutchings wrote:
> On Thu, 2018-05-24 at 11:37 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Xin Long <lucien.xin@...il.com>
> >
> > [ Upstream commit 59d8d4434f429b4fa8a346fd889058bda427a837 ]
> >
> > Now sctp only delays the authentication for the normal cookie-echo
> > chunk by setting chunk->auth_chunk in sctp_endpoint_bh_rcv(). But
> > for the duplicated one with auth, in sctp_assoc_bh_rcv(), it does
> > authentication first based on the old asoc, which will definitely
> > fail due to the different auth info in the old asoc.
> [...]
> > --- a/net/sctp/associola.c
> > +++ b/net/sctp/associola.c
> > @@ -1000,9 +1000,10 @@ static void sctp_assoc_bh_rcv(struct wor
> > struct sctp_endpoint *ep;
> > struct sctp_chunk *chunk;
> > struct sctp_inq *inqueue;
> > - int state;
> > sctp_subtype_t subtype;
> > + int first_time = 1; /* is this the first time through the loop */
> > int error = 0;
> > + int state;
> >
> > /* The association should be held so we should be safe. */
> > ep = asoc->ep;
> > @@ -1013,6 +1014,30 @@ static void sctp_assoc_bh_rcv(struct wor
> > state = asoc->state;
> > subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type);
> >
> > + /* If the first chunk in the packet is AUTH, do special
> > + * processing specified in Section 6.3 of SCTP-AUTH spec
> > + */
> > + if (first_time && subtype.chunk == SCTP_CID_AUTH) {
> > + struct sctp_chunkhdr *next_hdr;
> > +
> > + next_hdr = sctp_inq_peek(inqueue);
> > + if (!next_hdr)
> > + goto normal;
> > +
> > + /* If the next chunk is COOKIE-ECHO, skip the AUTH
> > + * chunk while saving a pointer to it so we can do
> > + * Authentication later (during cookie-echo
> > + * processing).
> > + */
> > + if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {
> > + chunk->auth_chunk = skb_clone(chunk->skb,
> > + GFP_ATOMIC);
> > + chunk->auth = 1;
>
> Doesn't the first_time flag need to be cleared here (and before the
> other continue statement in this loop)?
Seems the description is not matching the code closely. As is,
first_time is about the first time an AUTH chunk is handled followed
by a COOKIE-ECHO chunk (which is what we wanted, in the end), and not
strictly enforcing 'first chunk in the packet', as the description
says.
We should rename this first_time into a chunk counter instead. It
may even help with debugging on crashes.
Thanks for reviewing this, btw.
Marcelo
>
> Ben.
>
> > + continue;
> > + }
> > + }
> > +
> > +normal:
> [...]
>
> --
> Ben Hutchings, Software Developer Codethink Ltd
> https://www.codethink.co.uk/ Dale House, 35 Dale Street
> Manchester, M1 2HF, United Kingdom
Powered by blists - more mailing lists