linux/net/sctp
Daniel Borkmann 8f2e5ae40e net: sctp: fix information leaks in ulpevent layer
While working on some other SCTP code, I noticed that some
structures shared with user space are leaking uninitialized
stack or heap buffer. In particular, struct sctp_sndrcvinfo
has a 2 bytes hole between .sinfo_flags and .sinfo_ppid that
remains unfilled by us in sctp_ulpevent_read_sndrcvinfo() when
putting this into cmsg. But also struct sctp_remote_error
contains a 2 bytes hole that we don't fill but place into a skb
through skb_copy_expand() via sctp_ulpevent_make_remote_error().

Both structures are defined by the IETF in RFC6458:

* Section 5.3.2. SCTP Header Information Structure:

  The sctp_sndrcvinfo structure is defined below:

  struct sctp_sndrcvinfo {
    uint16_t sinfo_stream;
    uint16_t sinfo_ssn;
    uint16_t sinfo_flags;
    <-- 2 bytes hole  -->
    uint32_t sinfo_ppid;
    uint32_t sinfo_context;
    uint32_t sinfo_timetolive;
    uint32_t sinfo_tsn;
    uint32_t sinfo_cumtsn;
    sctp_assoc_t sinfo_assoc_id;
  };

* 6.1.3. SCTP_REMOTE_ERROR:

  A remote peer may send an Operation Error message to its peer.
  This message indicates a variety of error conditions on an
  association. The entire ERROR chunk as it appears on the wire
  is included in an SCTP_REMOTE_ERROR event. Please refer to the
  SCTP specification [RFC4960] and any extensions for a list of
  possible error formats. An SCTP error notification has the
  following format:

  struct sctp_remote_error {
    uint16_t sre_type;
    uint16_t sre_flags;
    uint32_t sre_length;
    uint16_t sre_error;
    <-- 2 bytes hole  -->
    sctp_assoc_t sre_assoc_id;
    uint8_t  sre_data[];
  };

Fix this by setting both to 0 before filling them out. We also
have other structures shared between user and kernel space in
SCTP that contains holes (e.g. struct sctp_paddrthlds), but we
copy that buffer over from user space first and thus don't need
to care about it in that cases.

While at it, we can also remove lengthy comments copied from
the draft, instead, we update the comment with the correct RFC
number where one can look it up.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-07-14 14:18:56 -07:00
..
associola.c sctp: Fix sk_ack_backlog wrap-around problem 2014-06-12 10:27:14 -07:00
auth.c net: sctp: cache auth_enable per endpoint 2014-04-18 18:32:00 -04:00
bind_addr.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
chunk.c sctp: fix checkpatch errors with space required or prohibited 2013-12-26 13:47:47 -05:00
command.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
debug.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
endpointola.c net: sctp: migrate most recently used transport to ktime 2014-06-11 12:23:17 -07:00
input.c sctp: remove macros sctp_bh_[un]lock_sock 2014-01-21 18:41:36 -08:00
inqueue.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ipv6.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
Kconfig net: sctp: get rid of SCTP_DBG_TSNS entirely 2013-07-02 00:08:03 -07:00
Makefile
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
output.c net: rename local_df to ignore_df 2014-05-12 14:03:41 -04:00
outqueue.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-01-06 17:37:45 -05:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c sctp: loading sctp when load sctp_probe 2013-12-16 20:04:27 -05:00
proc.c snmp: fix some left over of snmp stats 2014-05-14 15:33:47 -04:00
protocol.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
sm_make_chunk.c ktime: add ktime_after and ktime_before helper 2014-06-11 12:23:17 -07:00
sm_sideeffect.c net: sctp: Don't transition to PF state when transport has exhausted 'Path.Max.Retrans'. 2014-04-27 23:41:14 -04:00
sm_statefuns.c net: sctp: cache auth_enable per endpoint 2014-04-18 18:32:00 -04:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c net: Split sk_no_check into sk_no_check_{rx,tx} 2014-05-23 16:28:53 -04:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c net: sctp: check proc_dointvec result in proc_sctp_do_auth 2014-06-19 21:30:19 -07:00
transport.c net: sctp: migrate most recently used transport to ktime 2014-06-11 12:23:17 -07:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c net: sctp: fix information leaks in ulpevent layer 2014-07-14 14:18:56 -07:00
ulpqueue.c sctp: add support for busy polling to sctp protocol 2014-04-20 18:18:55 -04:00