Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 133800d1 authored by Marcelo Ricardo Leitner's avatar Marcelo Ricardo Leitner Committed by David S. Miller
Browse files

sctp: fix copying more bytes than expected in sctp_add_bind_addr 



Dmitry reported that sctp_add_bind_addr may read more bytes than
expected in case the parameter is a IPv4 addr supplied by the user
through calls such as sctp_bindx_add(), because it always copies
sizeof(union sctp_addr) while the buffer may be just a struct
sockaddr_in, which is smaller.

This patch then fixes it by limiting the memcpy to the min between the
union size and a (new parameter) provided addr size. Where possible this
parameter still is the size of that union, except for reading from
user-provided buffers, which then it accounts for protocol type.

Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e2857b8f

include/net/sctp/structs.h

+1 −1
Original line number Diff line number Diff line
@@ -1098,7 +1098,7 @@ int sctp_bind_addr_dup(struct sctp_bind_addr *dest, 
			const struct sctp_bind_addr *src,

			gfp_t gfp);

int sctp_add_bind_addr(struct sctp_bind_addr *, union sctp_addr *,

		       __u8 addr_state, gfp_t gfp);

		       int new_size, __u8 addr_state, gfp_t gfp);

int sctp_del_bind_addr(struct sctp_bind_addr *, union sctp_addr *);

int sctp_bind_addr_match(struct sctp_bind_addr *, const union sctp_addr *,

			 struct sctp_sock *);

net/sctp/bind_addr.c

+8 −6
Original line number Diff line number Diff line
@@ -111,7 +111,8 @@ int sctp_bind_addr_dup(struct sctp_bind_addr *dest, 
	dest->port = src->port;



	list_for_each_entry(addr, &src->address_list, list) {

		error = sctp_add_bind_addr(dest, &addr->a, 1, gfp);

		error = sctp_add_bind_addr(dest, &addr->a, sizeof(addr->a),

					   1, gfp);

		if (error < 0)

			break;

	}
@@ -150,7 +151,7 @@ void sctp_bind_addr_free(struct sctp_bind_addr *bp) 


/* Add an address to the bind address list in the SCTP_bind_addr structure. */

int sctp_add_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *new,

		       __u8 addr_state, gfp_t gfp)

		       int new_size, __u8 addr_state, gfp_t gfp)

{

	struct sctp_sockaddr_entry *addr;
@@ -159,7 +160,7 @@ int sctp_add_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *new, 
	if (!addr)

		return -ENOMEM;



	memcpy(&addr->a, new, sizeof(*new));

	memcpy(&addr->a, new, min_t(size_t, sizeof(*new), new_size));



	/* Fix up the port if it has not yet been set.

	 * Both v4 and v6 have the port at the same offset.
@@ -291,7 +292,8 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list, 
		}



		af->from_addr_param(&addr, rawaddr, htons(port), 0);

		retval = sctp_add_bind_addr(bp, &addr, SCTP_ADDR_SRC, gfp);

		retval = sctp_add_bind_addr(bp, &addr, sizeof(addr),

					    SCTP_ADDR_SRC, gfp);

		if (retval) {

			/* Can't finish building the list, clean up. */

			sctp_bind_addr_clean(bp);
@@ -453,8 +455,8 @@ static int sctp_copy_one_addr(struct net *net, struct sctp_bind_addr *dest, 
		    (((AF_INET6 == addr->sa.sa_family) &&

		      (flags & SCTP_ADDR6_ALLOWED) &&

		      (flags & SCTP_ADDR6_PEERSUPP))))

			error = sctp_add_bind_addr(dest, addr, SCTP_ADDR_SRC,

						    gfp);

			error = sctp_add_bind_addr(dest, addr, sizeof(*addr),

						   SCTP_ADDR_SRC, gfp);

	}



	return error;

net/sctp/protocol.c

+1 −0
Original line number Diff line number Diff line
@@ -216,6 +216,7 @@ int sctp_copy_local_addr_list(struct net *net, struct sctp_bind_addr *bp, 
			      (copy_flags & SCTP_ADDR6_ALLOWED) &&

			      (copy_flags & SCTP_ADDR6_PEERSUPP)))) {

				error = sctp_add_bind_addr(bp, &addr->a,

						    sizeof(addr->a),

						    SCTP_ADDR_SRC, GFP_ATOMIC);

				if (error)

					goto end_copy;

net/sctp/sm_make_chunk.c

+2 −1
Original line number Diff line number Diff line
@@ -1830,7 +1830,8 @@ struct sctp_association *sctp_unpack_cookie( 
	/* Also, add the destination address. */

	if (list_empty(&retval->base.bind_addr.address_list)) {

		sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest,

				SCTP_ADDR_SRC, GFP_ATOMIC);

				   sizeof(chunk->dest), SCTP_ADDR_SRC,

				   GFP_ATOMIC);

	}



	retval->next_tsn = retval->c.initial_tsn;

net/sctp/socket.c

+3 −1
Original line number Diff line number Diff line
@@ -386,7 +386,8 @@ static int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len) 
	/* Add the address to the bind address list.

	 * Use GFP_ATOMIC since BHs will be disabled.

	 */

	ret = sctp_add_bind_addr(bp, addr, SCTP_ADDR_SRC, GFP_ATOMIC);

	ret = sctp_add_bind_addr(bp, addr, af->sockaddr_len,

				 SCTP_ADDR_SRC, GFP_ATOMIC);



	/* Copy back into socket for getsockname() use. */

	if (!ret) {
@@ -577,6 +578,7 @@ static int sctp_send_asconf_add_ip(struct sock *sk, 
			af = sctp_get_af_specific(addr->v4.sin_family);

			memcpy(&saveaddr, addr, af->sockaddr_len);

			retval = sctp_add_bind_addr(bp, &saveaddr,

						    sizeof(saveaddr),

						    SCTP_ADDR_NEW, GFP_ATOMIC);

			addr_buf += af->sockaddr_len;

		}