diff options
author | Xin Long <lucien.xin@gmail.com> | 2020-11-04 14:55:32 +0800 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2020-11-05 14:27:30 -0800 |
commit | 0356010d825eb18d9157408e8ca4ec4613d61398 (patch) | |
tree | 48957ff5243ae7855d660ea4f8b383bbaca1ac74 /include/net/sctp | |
parent | 67438feb2b85e9850f08e3d8c601692317341ca5 (diff) |
sctp: bring inet(6)_skb_parm back to sctp_input_cb
inet(6)_skb_parm was removed from sctp_input_cb by Commit a1dd2cf2f1ae
("sctp: allow changing transport encap_port by peer packets"), as it
thought sctp_input_cb->header is not used any more in SCTP.
syzbot reported a crash:
[ ] BUG: KASAN: use-after-free in decode_session6+0xe7c/0x1580
[ ]
[ ] Call Trace:
[ ] <IRQ>
[ ] dump_stack+0x107/0x163
[ ] kasan_report.cold+0x1f/0x37
[ ] decode_session6+0xe7c/0x1580
[ ] __xfrm_policy_check+0x2fa/0x2850
[ ] sctp_rcv+0x12b0/0x2e30
[ ] sctp6_rcv+0x22/0x40
[ ] ip6_protocol_deliver_rcu+0x2e8/0x1680
[ ] ip6_input_finish+0x7f/0x160
[ ] ip6_input+0x9c/0xd0
[ ] ipv6_rcv+0x28e/0x3c0
It was caused by sctp_input_cb->header/IP6CB(skb) still used in sctp rx
path decode_session6() but some members overwritten by sctp6_rcv().
This patch is to fix it by bring inet(6)_skb_parm back to sctp_input_cb
and not overwriting it in sctp4/6_rcv() and sctp_udp_rcv().
Reported-by: syzbot+5be8aebb1b7dfa90ef31@syzkaller.appspotmail.com
Fixes: a1dd2cf2f1ae ("sctp: allow changing transport encap_port by peer packets")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://lore.kernel.org/r/136c1a7a419341487c504be6d1996928d9d16e02.1604472932.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/net/sctp')
-rw-r--r-- | include/net/sctp/structs.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 80f71499b543..1aa585216f34 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -1121,6 +1121,12 @@ static inline void sctp_outq_cork(struct sctp_outq *q) * sctp_input_cb is currently used on rx and sock rx queue */ struct sctp_input_cb { + union { + struct inet_skb_parm h4; +#if IS_ENABLED(CONFIG_IPV6) + struct inet6_skb_parm h6; +#endif + } header; struct sctp_chunk *chunk; struct sctp_af *af; __be16 encap_port; |