On 08.11.2021 09:57, Greg Kroah-Hartman wrote:
On Tue, Nov 02, 2021 at 04:52:28PM +0100, Greg Kroah-Hartman wrote:
On Tue, Nov 02, 2021 at 05:12:16PM +0300, Alexey Khoroshilov wrote:
Hello!
It seems the patch may lead to NULL pointer dereference.
- sctp_sf_violation_chunk() calls sctp_sf_violation() with asoc arg
equal to NULL.
static enum sctp_disposition sctp_sf_violation_chunk( ... { ... if (!asoc) return sctp_sf_violation(net, ep, asoc, type, arg, commands); ...
- Newly added code of sctp_sf_violation() calls to sctp_vtag_verify()
with asoc arg equal to NULL.
enum sctp_disposition sctp_sf_violation(struct net *net, ... { struct sctp_chunk *chunk = arg;
if (!sctp_vtag_verify(chunk, asoc)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
...
- sctp_vtag_verify() dereferences asoc without any check.
/* Check VTAG of the packet matches the sender's own tag. */ static inline int sctp_vtag_verify(const struct sctp_chunk *chunk, const struct sctp_association *asoc) { /* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint * MUST ensure that the value in the Verification Tag field of * the received SCTP packet matches its own Tag. If the received * Verification Tag value does not match the receiver's own * tag value, the receiver shall silently discard the packet... */ if (ntohl(chunk->sctp_hdr->vtag) != asoc->c.my_vtag) return 0;
Found by Linux Verification Center (linuxtesting.org) with SVACE tool.
These issues should all be the same with Linus's tree, so can you please submit patches to the normal netdev developers and mailing list to resolve the above issues?
Given a lack of response, I am going to assume that these are not real issues. If you think they are, please submit patches to the network developers to resolve them.
thanks,
greg k-h
Hi Greg,
During discussion with the network developers it was defined that the code is unreachable and should be removed. The corresponding patch is already in network tree:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=e7...
Thank you, Alexey