• Daniel Borkmann's avatar
    net: sctp: fix information leaks in ulpevent layer · 2a3fda71
    Daniel Borkmann authored
    [ Upstream commit 8f2e5ae4 ]
    
    While working on some other SCTP code, I noticed that some
    structures shared with user space are leaking uninitialized
    stack or heap buffer. In particular, struct sctp_sndrcvinfo
    has a 2 bytes hole between .sinfo_flags and .sinfo_ppid that
    remains unfilled by us in sctp_ulpevent_read_sndrcvinfo() when
    putting this into cmsg. But also struct sctp_remote_error
    contains a 2 bytes hole that we don't fill but place into a skb
    through skb_copy_expand() via sctp_ulpevent_make_remote_error().
    
    Both structures are defined by the IETF in RFC6458:
    
    * Section 5.3.2. SCTP Header Information Structure:
    
      The sctp_sndrcvinfo structure is defined below:
    
      struct sctp_sndrcvinfo {
        uint16_t sinfo_stream;
        uint16_t sinfo_ssn;
        uint16_t sinfo_flags;
        <-- 2 bytes hole  -->
        uint32_t sinfo_ppid;
        uint32_t sinfo_context;
        uint32_t sinfo_timetolive;
        uint32_t sinfo_tsn;
        uint32_t sinfo_cumtsn;
        sctp_assoc_t sinfo_assoc_id;
      };
    
    * 6.1.3. SCTP_REMOTE_ERROR:
    
      A remote peer may send an Operation Error message to its peer.
      This message indicates a variety of error conditions on an
      association. The entire ERROR chunk as it appears on the wire
      is included in an SCTP_REMOTE_ERROR event. Please refer to the
      SCTP specification [RFC4960] and any extensions for a list of
      possible error formats. An SCTP error notification has the
      following format:
    
      struct sctp_remote_error {
        uint16_t sre_type;
        uint16_t sre_flags;
        uint32_t sre_length;
        uint16_t sre_error;
        <-- 2 bytes hole  -->
        sctp_assoc_t sre_assoc_id;
        uint8_t  sre_data[];
      };
    
    Fix this by setting both to 0 before filling them out. We also
    have other structures shared between user and kernel space in
    SCTP that contains holes (e.g. struct sctp_paddrthlds), but we
    copy that buffer over from user space first and thus don't need
    to care about it in that cases.
    
    While at it, we can also remove lengthy comments copied from
    the draft, instead, we update the comment with the correct RFC
    number where one can look it up.
    Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    2a3fda71
ulpevent.c 27.7 KB