• Wei Yongjun's avatar
    [SCTP]: Fix kernel panic while received AUTH chunk with BAD shared key identifier · 7cc08b55
    Wei Yongjun authored
    If SCTP-AUTH is enabled, received AUTH chunk with BAD shared key 
    identifier will cause kernel panic.
    
    Test as following:
    step1: enabled /proc/sys/net/sctp/auth_enable
    step 2:  connect  to SCTP server with auth capable. Association is 
    established between endpoints. Then send a AUTH chunk with a bad 
    shareid, SCTP server will kernel panic after received that AUTH chunk.
    
    SCTP client                   SCTP server
      INIT         ---------->  
        (with auth capable)
                   <----------    INIT-ACK
                                  (with auth capable)
      COOKIE-ECHO  ---------->
                   <----------    COOKIE-ACK
      AUTH         ---------->
    
    
    AUTH chunk is like this:
      AUTH chunk
        Chunk type: AUTH (15)
        Chunk flags: 0x00
        Chunk length: 28
        Shared key identifier: 10
        HMAC identifier: SHA-1 (1)
        HMAC: 0000000000000000000000000000000000000000
    
    The assignment of NULL to key can safely be removed, since key_for_each 
    (which is just list_for_each_entry under the covers does an initial 
    assignment to key anyway).
    
    If the endpoint_shared_keys list is empty, or if the key_id being 
    requested does not exist, the function as it currently stands returns 
    the actuall list_head (in this case endpoint_shared_keys.  Since that 
    list_head isn't surrounded by an actuall data structure, the last 
    iteration through list_for_each_entry will do a container_of on key, and 
    we wind up returning a bogus pointer, instead of NULL, as we should.
    
    > Neil Horman wrote:
    >> On Tue, Jan 22, 2008 at 05:29:20PM +0900, Wei Yongjun wrote:
    >>
    >> FWIW, Ack from me.  The assignment of NULL to key can safely be 
    >> removed, since
    >> key_for_each (which is just list_for_each_entry under the covers does 
    >> an initial
    >> assignment to key anyway).
    >> If the endpoint_shared_keys list is empty, or if the key_id being 
    >> requested does
    >> not exist, the function as it currently stands returns the actuall 
    >> list_head (in
    >> this case endpoint_shared_keys.  Since that list_head isn't 
    >> surrounded by an
    >> actuall data structure, the last iteration through 
    >> list_for_each_entry will do a
    >> container_of on key, and we wind up returning a bogus pointer, 
    >> instead of NULL,
    >> as we should.  Wei's patch corrects that.
    >>
    >> Regards
    >> Neil
    >>
    >> Acked-by: Neil Horman <nhorman@tuxdriver.com>
    >>
    >
    > Yep, the patch is correct.
    >
    > Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    >
    > -vlad
    >
    Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
    Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7cc08b55
auth.c 23.7 KB