lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 28 Aug 2007 11:58:40 -0400
From:	Vlad Yasevich <vladislav.yasevich@...com>
To:	Wei Yongjun <yjwei@...fujitsu.com>
Cc:	lksctp-developers@...ts.sourceforge.net, netdev@...r.kernel.org
Subject: Re: [Lksctp-developers] SCTP: Fix dead loop while received unexpected
 chunk with length set to zero

Wei Yongjun wrote:
> A ootb chunk such as data in close state or init-ack in estab state will 
> cause SCTP to enter dead loop. Look like this:
> 
> (1)
>   Endpoint A                      Endpoint B
>   (Closed)                        (Closed)
> 
>   DATA      ----------------->   Kernel dead loop
>   (With Length set to zero)
> 
> (2)
>   Endpoint A                      Endpoint B
>   (Established)                   (Established)
> 
>   INIT-ACK   ----------------->   Kernel dead loop
>   (With Length set to zero)
> 
> 
> This is beacuse when process chunks, chunk->chunk_end is set to the 
> chunk->chunk_hdr plus chunk length, if chunk length is set to zero, 
> chunk->chunk_end will be never changed and process enter dead loop.
> Following is the patch.

NACK

Section 8.4:

   An SCTP packet is called an "out of the blue" (OOTB) packet if it is
   correctly formed (i.e., passed the receiver's CRC32c check; see
   Section 6.8), but the receiver is not able to identify the
   association to which this packet belongs.


I would argue that the packet is not correctly formed in this case
and deserves a protocol violation ABORT in return.

-vlad

> 
> Signed-off-by: Wei Yongjun <yjwei@...fujitsu.com>
> 
> --- a/net/sctp/inqueue.c	2007-08-25 10:53:45.000000000 -0400
> +++ b/net/sctp/inqueue.c	2007-08-26 05:45:57.000000000 -0400
> @@ -165,10 +165,8 @@ struct sctp_chunk *sctp_inq_pop(struct s
>  	skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
>  	chunk->subh.v = NULL; /* Subheader is no longer valid.  */
>  
> -	if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
> -		/* This is not a singleton */
> -		chunk->singleton = 0;
> -	} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
> +	if (chunk->chunk_end > skb_tail_pointer(chunk->skb) ||
> +	    chunk->chunk_end == chunk->chunk_hdr) {
>  		/* RFC 2960, Section 6.10  Bundling
>  		 *
>  		 * Partial chunks MUST NOT be placed in an SCTP packet.
> @@ -183,6 +181,9 @@ struct sctp_chunk *sctp_inq_pop(struct s
>  		chunk = queue->in_progress = NULL;
>  
>  		return NULL;
> +	} else if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
> +		/* This is not a singleton */
> +		chunk->singleton = 0;
>  	} else {
>  		/* We are at the end of the packet, so mark the chunk
>  		 * in case we need to send a SACK.
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Lksctp-developers mailing list
> Lksctp-developers@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lksctp-developers
> 

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ