• Xin Long's avatar
    sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate() · c6f33e05
    Xin Long authored
    New ep's auth_hmacs should be set if old ep's is set, in case that
    net->sctp.auth_enable has been changed to 0 by users and new ep's
    auth_hmacs couldn't be set in sctp_endpoint_init().
    
    It can even crash kernel by doing:
    
      1. on server: sysctl -w net.sctp.auth_enable=1,
                    sysctl -w net.sctp.addip_enable=1,
                    sysctl -w net.sctp.addip_noauth_enable=0,
                    listen() on server,
                    sysctl -w net.sctp.auth_enable=0.
      2. on client: connect() to server.
      3. on server: accept() the asoc,
                    sysctl -w net.sctp.auth_enable=1.
      4. on client: send() asconf packet to server.
    
    The call trace:
    
      [  245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      [  245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp]
      [  245.304572] Call Trace:
      [  245.305091]  <IRQ>
      [  245.311287]  sctp_sf_authenticate+0x110/0x160 [sctp]
      [  245.312311]  sctp_sf_eat_auth+0xf2/0x230 [sctp]
      [  245.313249]  sctp_do_sm+0x9a/0x2d0 [sctp]
      [  245.321483]  sctp_assoc_bh_rcv+0xed/0x1a0 [sctp]
      [  245.322495]  sctp_rcv+0xa66/0xc70 [sctp]
    
    It's because the old ep->auth_hmacs wasn't copied to the new ep while
    ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing
    the incoming auth chunks, and it should have been done when migrating
    sock.
    Reported-by: default avatarYing Xu <yinxu@redhat.com>
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarNeil Horman <nhorman@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    c6f33e05
socket.c 257 KB