Skip to content

Commit

Permalink
RIP, RIP6, DDP, SCTP and SCTP6 lack a length check in their _connect()
Browse files Browse the repository at this point in the history 
functions. Fix the first three, and add a big XXX in the SCTP ones.

Found by KASAN, triggered by SyzKaller.

Reported-by: syzbot+9eaf98dad6ca738c250d@syzkaller.appspotmail.com
  • Loading branch information
maxv authored and maxv committed Feb 24, 2019
1 parent dc89367 commit a6926e4
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 12 deletions.
10 changes: 6 additions & 4 deletions sys/netatalk/ddp_usrreq.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: ddp_usrreq.c,v 1.72 2019/01/28 12:53:01 martin Exp $ */
/* $NetBSD: ddp_usrreq.c,v 1.73 2019/02/24 07:20:33 maxv Exp $ */

/*
* Copyright (c) 1990,1991 Regents of The University of Michigan.
Expand Down Expand Up @@ -27,7 +27,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.72 2019/01/28 12:53:01 martin Exp $");
__KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.73 2019/02/24 07:20:33 maxv Exp $");

#include "opt_mbuftrace.h"
#include "opt_atalk.h"
Expand Down Expand Up @@ -185,9 +185,11 @@ at_pcbconnect(struct ddpcb *ddp, struct sockaddr_at *sat)
struct ifnet *ifp;
u_short hintnet = 0, net;

if (sat->sat_family != AF_APPLETALK) {
if (sat->sat_family != AF_APPLETALK)
return EAFNOSUPPORT;
}
if (sat->sat_len != sizeof(*sat))
return EINVAL;

/*
* Under phase 2, network 0 means "the network". We take "the
* network" to mean the network the control block is bound to.
Expand Down
6 changes: 4 additions & 2 deletions sys/netinet/raw_ip.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: raw_ip.c,v 1.178 2018/09/14 05:09:51 maxv Exp $ */
/* $NetBSD: raw_ip.c,v 1.179 2019/02/24 07:20:33 maxv Exp $ */

/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
Expand Down Expand Up @@ -65,7 +65,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.178 2018/09/14 05:09:51 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.179 2019/02/24 07:20:33 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_inet.h"
Expand Down Expand Up @@ -499,6 +499,8 @@ rip_connect_pcb(struct inpcb *inp, struct sockaddr_in *addr)
return (EADDRNOTAVAIL);
if (addr->sin_family != AF_INET)
return (EAFNOSUPPORT);
if (addr->sin_len != sizeof(*addr))
return EINVAL;
inp->inp_faddr = addr->sin_addr;
return (0);
}
Expand Down
9 changes: 7 additions & 2 deletions sys/netinet/sctp_usrreq.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/* $KAME: sctp_usrreq.c,v 1.50 2005/06/16 20:45:29 jinmei Exp $ */
/* $NetBSD: sctp_usrreq.c,v 1.16 2019/02/15 14:13:32 rjs Exp $ */
/* $NetBSD: sctp_usrreq.c,v 1.17 2019/02/24 07:20:33 maxv Exp $ */

/*
* Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
Expand Down Expand Up @@ -33,7 +33,7 @@
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sctp_usrreq.c,v 1.16 2019/02/15 14:13:32 rjs Exp $");
__KERNEL_RCSID(0, "$NetBSD: sctp_usrreq.c,v 1.17 2019/02/24 07:20:33 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_inet.h"
Expand Down Expand Up @@ -3342,6 +3342,11 @@ sctp_connect(struct socket *so, struct sockaddr *nam, struct lwp *l)
return (EINVAL);
}
#endif /* INET6 */

/*
* XXX XXX XXX Check nam->sa_len?
*/

if ((inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) ==
SCTP_PCB_FLAGS_UNBOUND) {
/* Bind a ephemeral port */
Expand Down
6 changes: 4 additions & 2 deletions sys/netinet6/raw_ip6.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $NetBSD: raw_ip6.c,v 1.173 2019/01/28 12:53:01 martin Exp $ */
/* $NetBSD: raw_ip6.c,v 1.174 2019/02/24 07:20:33 maxv Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */

/*
Expand Down Expand Up @@ -62,7 +62,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.173 2019/01/28 12:53:01 martin Exp $");
__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.174 2019/02/24 07:20:33 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
Expand Down Expand Up @@ -716,6 +716,8 @@ rip6_connect(struct socket *so, struct sockaddr *nam, struct lwp *l)
return EADDRNOTAVAIL;
if (addr->sin6_family != AF_INET6)
return EAFNOSUPPORT;
if (addr->sin6_len != sizeof(*addr))
return EINVAL;

/*
* Application should provide a proper zone ID or the use of
Expand Down
9 changes: 7 additions & 2 deletions sys/netinet6/sctp6_usrreq.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/* $KAME: sctp6_usrreq.c,v 1.38 2005/08/24 08:08:56 suz Exp $ */
/* $NetBSD: sctp6_usrreq.c,v 1.17 2019/01/28 12:53:01 martin Exp $ */
/* $NetBSD: sctp6_usrreq.c,v 1.18 2019/02/24 07:20:33 maxv Exp $ */

/*
* Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
Expand Down Expand Up @@ -33,7 +33,7 @@
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.17 2019/01/28 12:53:01 martin Exp $");
__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.18 2019/02/24 07:20:33 maxv Exp $");

#ifdef _KERNEL_OPT
#include "opt_inet.h"
Expand Down Expand Up @@ -961,6 +961,11 @@ sctp6_connect(struct socket *so, struct sockaddr *nam, struct lwp *l)

#ifdef INET
sin6 = (struct sockaddr_in6 *)nam;

/*
* XXX XXX XXX Check sin6->sin6_len?
*/

if (inp6->in6p_flags & IN6P_IPV6_V6ONLY) {
/*
* if IPV6_V6ONLY flag, ignore connections
Expand Down

0 comments on commit a6926e4

Please sign in to comment.