Missing return in error path in sctp_handle_asconf() #376

markwo · 2019-09-19T21:43:47Z

usrsctp/usrsctplib/netinet/sctp_asconf.c

Line 722 in 8ca1321

sctp_m_freem(m_ack);

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack.

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack.

Thanks to Mark Wodrich from Google for reporting the issue in #376 for the userland stack.

tuexen · 2019-09-20T08:27:02Z

Fixed in ac36440. Thanks for finding and reporting!

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days git-svn-id: svn+ssh://svn.freebsd.org/base/head@352550 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days git-svn-id: https://svn.freebsd.org/base/head@352550 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack.

Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. git-svn-id: https://svn.freebsd.org/base/stable/12@352674 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Only allow a SCTP-AUTH shared key to be updated by the application if it is not deactivated and not used. This avoids a use-after-free problem. MFS r352674: Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFS r352675: Cleanup the RTO calculation and perform some consistency checks before computing the RTO. This should fix an overflow issue reported by Felix Weinrank in sctplab/usrsctp#375 for the userland stack and found by running a fuzz tester. MFS r352676: Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFS r353034: Plumb a memory leak. Thanks to Felix Weinrank for finding this issue using fuzz testing and reporting it for the userland stack: sctplab/usrsctp#378 MFS r353036: Don't use stack memory which is not initialized. Thanks to Mark Wodrich for reporting this issue for the userland stack in sctplab/usrsctp#380 This issue was also found for usrsctp by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778 Approved by: re (kib@)

Only allow a SCTP-AUTH shared key to be updated by the application if it is not deactivated and not used. This avoids a use-after-free problem. MFS r352674: Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFS r352675: Cleanup the RTO calculation and perform some consistency checks before computing the RTO. This should fix an overflow issue reported by Felix Weinrank in sctplab/usrsctp#375 for the userland stack and found by running a fuzz tester. MFS r352676: Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFS r353034: Plumb a memory leak. Thanks to Felix Weinrank for finding this issue using fuzz testing and reporting it for the userland stack: sctplab/usrsctp#378 MFS r353036: Don't use stack memory which is not initialized. Thanks to Mark Wodrich for reporting this issue for the userland stack in sctplab/usrsctp#380 This issue was also found for usrsctp by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778 Approved by: re (kib@) git-svn-id: https://svn.freebsd.org/base/releng/12.1@353045 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days

Only allow a SCTP-AUTH shared key to be updated by the application if it is not deactivated and not used. This avoids a use-after-free problem. MFS r352674: Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFS r352675: Cleanup the RTO calculation and perform some consistency checks before computing the RTO. This should fix an overflow issue reported by Felix Weinrank in sctplab/usrsctp#375 for the userland stack and found by running a fuzz tester. MFS r352676: Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFS r353034: Plumb a memory leak. Thanks to Felix Weinrank for finding this issue using fuzz testing and reporting it for the userland stack: sctplab/usrsctp#378 MFS r353036: Don't use stack memory which is not initialized. Thanks to Mark Wodrich for reporting this issue for the userland stack in sctplab/usrsctp#380 This issue was also found for usrsctp by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778 Approved by: re (kib@)

Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack.

Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. git-svn-id: https://svn.freebsd.org/base/stable/11@360734 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack. (cherry picked from commit ac36440)

markwo changed the title ~~Missing return in error path in sctp_handle_asconf~~ Missing return in error path in sctp_handle_asconf() Sep 19, 2019

tuexen added a commit to sctplab/stream-reset-improved that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

264ce45

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack.

tuexen added a commit to sctplab/pr-sctp-improved that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

0fe5c7f

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack.

tuexen added a commit to sctplab/SCTP_NKE_ElCapitan that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

bd42efc

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack.

tuexen added a commit to sctplab/SCTP_NKE_Yosemite that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

a4f9c93

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack.

tuexen added a commit to sctplab/SCTP_NKE_HighSierra that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

f10c6b5

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack.

tuexen added a commit to sctplab/sctp-idata that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

a12f402

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack.

tuexen added a commit that referenced this issue Sep 20, 2019

Fix the handling of invalid parameters in ASCONF chunks.

ac36440

Thanks to Mark Wodrich from Google for reporting the issue in #376 for the userland stack.

tuexen closed this as completed Sep 20, 2019

uqs pushed a commit to freebsd/freebsd-src that referenced this issue Sep 22, 2019

Fix the handling of invalid parameters in ASCONF chunks.

f8c515c

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days

uqs pushed a commit to freebsd/freebsd-src that referenced this issue Sep 25, 2019

MFC r352550:

ab82c97

Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack.

brooksdavis pushed a commit to CTSRD-CHERI/cheribsd that referenced this issue Oct 22, 2019

Fix the handling of invalid parameters in ASCONF chunks.

6192117

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days

yuquanw2 mentioned this issue Jun 19, 2020

Adding tests for ASCONF chunks #486

Closed

jmb202 pushed a commit to pexip/usrsctp that referenced this issue Jun 22, 2020

Fix the handling of invalid parameters in ASCONF chunks.

e5c7627

Thanks to Mark Wodrich from Google for reporting the issue in sctplab/usrsctp#376 for the userland stack. (cherry picked from commit ac36440)

yuquanw2 mentioned this issue Jun 22, 2020

Adding tests for ASCONF chunks #487

Merged

feross mentioned this issue Nov 18, 2020

0.23.0 Critical Security Vulnerability? webtorrent/webtorrent-desktop#1837

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing return in error path in sctp_handle_asconf() #376

Missing return in error path in sctp_handle_asconf() #376

markwo commented Sep 19, 2019

tuexen commented Sep 20, 2019

Missing return in error path in sctp_handle_asconf() #376

Missing return in error path in sctp_handle_asconf() #376

Comments

markwo commented Sep 19, 2019

tuexen commented Sep 20, 2019