lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <46D223A0.3080604@cn.fujitsu.com>
Date:	Mon, 27 Aug 2007 09:06:40 +0800
From:	Wei Yongjun <yjwei@...fujitsu.com>
To:	lksctp-developers@...ts.sourceforge.net, netdev@...r.kernel.org,
	Vlad Yasevich <vladislav.yasevich@...com>
Subject: SCTP: Fix dead loop while received unexpected chunk with length set
 to zero

A ootb chunk such as data in close state or init-ack in estab state will 
cause SCTP to enter dead loop. Look like this:

(1)
  Endpoint A                      Endpoint B
  (Closed)                        (Closed)

  DATA      ----------------->   Kernel dead loop
  (With Length set to zero)

(2)
  Endpoint A                      Endpoint B
  (Established)                   (Established)

  INIT-ACK   ----------------->   Kernel dead loop
  (With Length set to zero)


This is beacuse when process chunks, chunk->chunk_end is set to the 
chunk->chunk_hdr plus chunk length, if chunk length is set to zero, 
chunk->chunk_end will be never changed and process enter dead loop.
Following is the patch.

Signed-off-by: Wei Yongjun <yjwei@...fujitsu.com>

--- a/net/sctp/inqueue.c	2007-08-25 10:53:45.000000000 -0400
+++ b/net/sctp/inqueue.c	2007-08-26 05:45:57.000000000 -0400
@@ -165,10 +165,8 @@ struct sctp_chunk *sctp_inq_pop(struct s
 	skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
 	chunk->subh.v = NULL; /* Subheader is no longer valid.  */
 
-	if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
-		/* This is not a singleton */
-		chunk->singleton = 0;
-	} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
+	if (chunk->chunk_end > skb_tail_pointer(chunk->skb) ||
+	    chunk->chunk_end == chunk->chunk_hdr) {
 		/* RFC 2960, Section 6.10  Bundling
 		 *
 		 * Partial chunks MUST NOT be placed in an SCTP packet.
@@ -183,6 +181,9 @@ struct sctp_chunk *sctp_inq_pop(struct s
 		chunk = queue->in_progress = NULL;
 
 		return NULL;
+	} else if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
+		/* This is not a singleton */
+		chunk->singleton = 0;
 	} else {
 		/* We are at the end of the packet, so mark the chunk
 		 * in case we need to send a SACK.


-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ