Skip to content
Permalink
Browse files

RIP6, CAN, SCTP and SCTP6 lack a length check in their _send() functi…

…ons.

Fix RIP6 and CAN, add a big XXX in the SCTP ones.

Found by KASAN, triggered by SyzKaller.

Reported-by: syzbot+0b9692ae0f49f93b7dc7@syzkaller.appspotmail.com
  • Loading branch information...
maxv maxv
maxv authored and maxv committed Feb 25, 2019
1 parent 2c899f4 commit 9e1867da2eb8366dbff200011724a66a4da24503
Showing with 24 additions and 8 deletions.
  1. +6 −2 sys/netcan/can_pcb.c
  2. +7 −2 sys/netinet/sctp_usrreq.c
  3. +6 −2 sys/netinet6/raw_ip6.c
  4. +5 −2 sys/netinet6/sctp6_usrreq.c
@@ -1,4 +1,4 @@
/* $NetBSD: can_pcb.c,v 1.6 2017/06/09 08:21:41 bouyer Exp $ */
/* $NetBSD: can_pcb.c,v 1.7 2019/02/25 06:49:44 maxv Exp $ */

/*-
* Copyright (c) 2003, 2017 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: can_pcb.c,v 1.6 2017/06/09 08:21:41 bouyer Exp $");
__KERNEL_RCSID(0, "$NetBSD: can_pcb.c,v 1.7 2019/02/25 06:49:44 maxv Exp $");

#include <sys/param.h>
#include <sys/systm.h>
@@ -124,6 +124,8 @@ can_pcbbind(void *v, struct sockaddr_can *scan, struct lwp *l)

if (scan->can_family != AF_CAN)
return (EAFNOSUPPORT);
if (scan->can_len != sizeof(*scan))
return EINVAL;
mutex_enter(&canp->canp_mtx);
if (scan->can_ifindex != 0) {
canp->canp_ifp = if_byindex(scan->can_ifindex);
@@ -157,6 +159,8 @@ can_pcbconnect(void *v, struct sockaddr_can *scan)

if (scan->can_family != AF_CAN)
return (EAFNOSUPPORT);
if (scan->can_len != sizeof(*scan))
return EINVAL;
#if 0
mutex_enter(&canp->canp_mtx);
memcpy(&canp->canp_dst, scan, sizeof(struct sockaddr_can));
@@ -1,5 +1,5 @@
/* $KAME: sctp_usrreq.c,v 1.50 2005/06/16 20:45:29 jinmei Exp $ */
/* $NetBSD: sctp_usrreq.c,v 1.17 2019/02/24 07:20:33 maxv Exp $ */
/* $NetBSD: sctp_usrreq.c,v 1.18 2019/02/25 06:49:44 maxv Exp $ */

/*
* Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
@@ -33,7 +33,7 @@
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sctp_usrreq.c,v 1.17 2019/02/24 07:20:33 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: sctp_usrreq.c,v 1.18 2019/02/25 06:49:44 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -638,6 +638,11 @@ sctp_send(struct socket *so, struct mbuf *m, struct sockaddr *addr,
return EINVAL;
}
#endif /* INET6 */

/*
* XXX XXX XXX Check addr->sa_len?
*/

connected_type:
/* now what about control */
if (control) {
@@ -1,4 +1,4 @@
/* $NetBSD: raw_ip6.c,v 1.174 2019/02/24 07:20:33 maxv Exp $ */
/* $NetBSD: raw_ip6.c,v 1.175 2019/02/25 06:49:44 maxv Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */

/*
@@ -62,7 +62,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.174 2019/02/24 07:20:33 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.175 2019/02/25 06:49:44 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -891,6 +891,10 @@ rip6_send(struct socket *so, struct mbuf *m, struct sockaddr *nam,
error = EAFNOSUPPORT;
goto release;
}
if (dst->sin6_len != sizeof(*dst)) {
error = EINVAL;
goto release;
}
}
error = rip6_output(m, so, dst, control);
m = NULL;
@@ -1,5 +1,5 @@
/* $KAME: sctp6_usrreq.c,v 1.38 2005/08/24 08:08:56 suz Exp $ */
/* $NetBSD: sctp6_usrreq.c,v 1.18 2019/02/24 07:20:33 maxv Exp $ */
/* $NetBSD: sctp6_usrreq.c,v 1.19 2019/02/25 06:49:44 maxv Exp $ */

/*
* Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
@@ -33,7 +33,7 @@
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.18 2019/02/24 07:20:33 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.19 2019/02/25 06:49:44 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -833,6 +833,9 @@ sctp6_send(struct socket *so, struct mbuf *m, struct sockaddr *nam,

#ifdef INET
sin6 = (struct sockaddr_in6 *)nam;
/*
* XXX XXX XXX Check sin6->sin6_len?
*/
if (inp6->in6p_flags & IN6P_IPV6_V6ONLY) {
/*
* if IPV6_V6ONLY flag, we discard datagrams

0 comments on commit 9e1867d

Please sign in to comment.
You can’t perform that action at this time.