Commit 0356010d authored by Xin Long's avatar Xin Long Committed by Jakub Kicinski

sctp: bring inet(6)_skb_parm back to sctp_input_cb

inet(6)_skb_parm was removed from sctp_input_cb by Commit a1dd2cf2
("sctp: allow changing transport encap_port by peer packets"), as it
thought sctp_input_cb->header is not used any more in SCTP.

syzbot reported a crash:

  [ ] BUG: KASAN: use-after-free in decode_session6+0xe7c/0x1580
  [ ]
  [ ] Call Trace:
  [ ]  <IRQ>
  [ ]  dump_stack+0x107/0x163
  [ ]  kasan_report.cold+0x1f/0x37
  [ ]  decode_session6+0xe7c/0x1580
  [ ]  __xfrm_policy_check+0x2fa/0x2850
  [ ]  sctp_rcv+0x12b0/0x2e30
  [ ]  sctp6_rcv+0x22/0x40
  [ ]  ip6_protocol_deliver_rcu+0x2e8/0x1680
  [ ]  ip6_input_finish+0x7f/0x160
  [ ]  ip6_input+0x9c/0xd0
  [ ]  ipv6_rcv+0x28e/0x3c0

It was caused by sctp_input_cb->header/IP6CB(skb) still used in sctp rx
path decode_session6() but some members overwritten by sctp6_rcv().

This patch is to fix it by bring inet(6)_skb_parm back to sctp_input_cb
and not overwriting it in sctp4/6_rcv() and sctp_udp_rcv().

Reported-by: syzbot+5be8aebb1b7dfa90ef31@syzkaller.appspotmail.com
Fixes: a1dd2cf2 ("sctp: allow changing transport encap_port by peer packets")
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://lore.kernel.org/r/136c1a7a419341487c504be6d1996928d9d16e02.1604472932.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 67438feb
...@@ -1121,6 +1121,12 @@ static inline void sctp_outq_cork(struct sctp_outq *q) ...@@ -1121,6 +1121,12 @@ static inline void sctp_outq_cork(struct sctp_outq *q)
* sctp_input_cb is currently used on rx and sock rx queue * sctp_input_cb is currently used on rx and sock rx queue
*/ */
struct sctp_input_cb { struct sctp_input_cb {
union {
struct inet_skb_parm h4;
#if IS_ENABLED(CONFIG_IPV6)
struct inet6_skb_parm h6;
#endif
} header;
struct sctp_chunk *chunk; struct sctp_chunk *chunk;
struct sctp_af *af; struct sctp_af *af;
__be16 encap_port; __be16 encap_port;
......
...@@ -1074,7 +1074,7 @@ static struct inet_protosw sctpv6_stream_protosw = { ...@@ -1074,7 +1074,7 @@ static struct inet_protosw sctpv6_stream_protosw = {
static int sctp6_rcv(struct sk_buff *skb) static int sctp6_rcv(struct sk_buff *skb)
{ {
memset(skb->cb, 0, sizeof(skb->cb)); SCTP_INPUT_CB(skb)->encap_port = 0;
return sctp_rcv(skb) ? -1 : 0; return sctp_rcv(skb) ? -1 : 0;
} }
......
...@@ -843,7 +843,6 @@ static int sctp_ctl_sock_init(struct net *net) ...@@ -843,7 +843,6 @@ static int sctp_ctl_sock_init(struct net *net)
static int sctp_udp_rcv(struct sock *sk, struct sk_buff *skb) static int sctp_udp_rcv(struct sock *sk, struct sk_buff *skb)
{ {
memset(skb->cb, 0, sizeof(skb->cb));
SCTP_INPUT_CB(skb)->encap_port = udp_hdr(skb)->source; SCTP_INPUT_CB(skb)->encap_port = udp_hdr(skb)->source;
skb_set_transport_header(skb, sizeof(struct udphdr)); skb_set_transport_header(skb, sizeof(struct udphdr));
...@@ -1163,7 +1162,7 @@ static struct inet_protosw sctp_stream_protosw = { ...@@ -1163,7 +1162,7 @@ static struct inet_protosw sctp_stream_protosw = {
static int sctp4_rcv(struct sk_buff *skb) static int sctp4_rcv(struct sk_buff *skb)
{ {
memset(skb->cb, 0, sizeof(skb->cb)); SCTP_INPUT_CB(skb)->encap_port = 0;
return sctp_rcv(skb); return sctp_rcv(skb);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment