Re: [PATCH] sctp: avoid NULL pointer dereference in sctp_sf_violation

From: Xin Long <lucien.xin@gmail.com>
Date: 2021-11-03 12:44:02
Also in: linux-sctp, lkml

On Tue, Nov 2, 2021 at 4:27 PM Alexey Khoroshilov [off-list ref] wrote:

Some callers (e.g. sctp_sf_violation_chunk) passes NULL to
asoc argument of sctp_sf_violation. So, it should check it
before calling sctp_vtag_verify().

Probably it could be exploited by a malicious SCTP packet
to cause NULL pointer dereference.

I don't think asoc can be NULL in here, did you see any call trace
caused by it?

If this was found by a tool, please remove the unnecessary call from
sctp_sf_violation_chunk() instead:

@@ -4893,9 +4893,6 @@ static enum sctp_disposition sctp_sf_violation_chunk(
 {
        static const char err_str[] = "The following chunk violates protocol:";

-       if (!asoc)
-               return sctp_sf_violation(net, ep, asoc, type, arg, commands);
-

Thanks.

quoted hunk ↗ jump to hunk

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Alexey Khoroshilov <redacted>
Fixes: aa0f697e4528 ("sctp: add vtag check in sctp_sf_violation")
---
 net/sctp/sm_statefuns.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index fb3da4d8f4a3..77f3cd6c516e 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c

@@ -4669,7 +4669,7 @@ enum sctp_disposition sctp_sf_violation(struct net *net,
 {
        struct sctp_chunk *chunk = arg;

-       if (!sctp_vtag_verify(chunk, asoc))
+       if (asoc && !sctp_vtag_verify(chunk, asoc))
                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

        /* Make sure that the chunk has a valid length. */
--

2.7.4

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help