New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CPU DoS (infinite loop) in sctp_send_cookie_echo #352
Labels
Comments
Reproducible with the following packetdrill script:
|
Closed
tuexen
added a commit
to sctplab/stream-reset-improved
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352
tuexen
added a commit
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in #355 and #352
tuexen
added a commit
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in #351 and #352
tuexen
added a commit
to sctplab/stream-reset-improved
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
tuexen
added a commit
to sctplab/SCTP_NKE_Yosemite
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
tuexen
added a commit
to sctplab/SCTP_NKE_ElCapitan
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
tuexen
added a commit
to sctplab/SCTP_NKE_HighSierra
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
tuexen
added a commit
to sctplab/pr-sctp-improved
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
tuexen
added a commit
to sctplab/sctp-idata
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
uqs
pushed a commit
to freebsd/freebsd-src
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 MFC after: 3 days git-svn-id: svn+ssh://svn.freebsd.org/base/head@351654 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
uqs
pushed a commit
to freebsd/freebsd-src
that referenced
this issue
Sep 1, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 MFC after: 3 days
opntr-auto
added a commit
to HardenedBSD/hardenedBSD
that referenced
this issue
Sep 1, 2019
* freebsd/current/master: Fix initialization of top_fsn. Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 Add support for TP-Link Archer T2U Nano. nullfs: reduce areas protected by vnode interlock in null_lock posixshm: switch to OBJT_SWAP in advance of other changes ARM kernel can get RAM regions three ways: o from FDT; o from EFI; o from Linux Boot API (ATAG). U-Boot may pass RAM info all that 3 ways simultaneously. We do select between FDT and EFI, but not for ATAG. So this is not problem fix, but correctness check. Unskip test cases from netbsd-tests by defining __HAVE_FENV
I can confirm this fixes the issue, thanks! |
uqs
pushed a commit
to freebsd/freebsd-src
that referenced
this issue
Sep 7, 2019
Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
bdrewery
pushed a commit
to bdrewery/freebsd
that referenced
this issue
Sep 12, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 MFC after: 3 days git-svn-id: svn+ssh://svn.freebsd.org/base/head@351654 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
mat813
pushed a commit
to mat813/freebsd
that referenced
this issue
Sep 16, 2019
Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352 git-svn-id: https://svn.freebsd.org/base/stable/12@352007 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
mat813
pushed a commit
to mat813/freebsd
that referenced
this issue
Sep 16, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 MFC after: 3 days git-svn-id: https://svn.freebsd.org/base/head@351654 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
brooksdavis
pushed a commit
to CTSRD-CHERI/cheribsd
that referenced
this issue
Oct 18, 2019
This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 MFC after: 3 days
uqs
pushed a commit
to freebsd/freebsd-src
that referenced
this issue
May 7, 2020
Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352
mat813
pushed a commit
to mat813/freebsd
that referenced
this issue
Jun 9, 2020
Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352 git-svn-id: https://svn.freebsd.org/base/stable/11@360731 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
hardenedbsd-services
pushed a commit
to HardenedBSD/hardenedBSD
that referenced
this issue
Jan 29, 2021
Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#351 and sctplab/usrsctp#352
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While working on a fuzzer for usrsctp, I hit a timeout due to an infinite loop in the target/receiver endpoint. The PCAP is attached - output and stack trace of the timeout are below. From a look at the code, this is due to the code in sctp_send_cookie_echo (sctp_output.c) not handling parameters with a zero length:
I'm cleaning up the fuzzer currently - can share the code if you need it to repro. (Would also like to eventually get this fuzzer added to the repo as an OSS-Fuzz target).
repro.zip
The text was updated successfully, but these errors were encountered: