asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net
History
Xin Long 0ad6f021f6 sctp: fix the processing for INIT_ACK chunk 
commit 438b95a7c98f77d51cbf4db021f41b602d750a3f upstream.

Currently INIT_ACK chunk in non-cookie_echoed state is processed in
sctp_sf_discard_chunk() to send an abort with the existent asoc's
vtag if the chunk length is not valid. But the vtag in the chunk's
sctphdr is not verified, which may be exploited by one to cook a
malicious chunk to terminal a SCTP asoc.

sctp_sf_discard_chunk() also is called in many other places to send
an abort, and most of those have this problem. This patch is to fix
it by sending abort with the existent asoc's vtag only if the vtag
from the chunk's sctphdr is verified in sctp_sf_discard_chunk().

Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
the chunk length has been verified before sctp_sf_discard_chunk(),
so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-03-23 09:10:40 +01:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:50:41 +01:00
9p xen/9p: use alloc/free_pages_exact() 2022-03-11 10:15:13 +01:00
802 net/802/garp: fix memleak in garp_request_join() 2021-07-31 08:22:37 +02:00
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 14:04:19 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 12:48:49 +02:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:14:43 +02:00
ax25 ax25: Fix NULL pointer dereference in ax25_kill_by_device 2022-03-16 13:20:26 +01:00
batman-adv batman-adv: Don't expect inter-netns unique iflink indices 2022-03-08 19:04:08 +01:00
bluetooth Bluetooth: refactor malicious adv data check 2022-02-08 18:23:02 +01:00
bpf
bpfilter signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig 2020-01-27 14:50:51 +01:00
bridge net: bridge: fix stale eth hdr pointer in br_dev_xmit 2022-02-16 12:51:45 +01:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 11:48:11 +02:00
can can: bcm: switch timer to HRTIMER_MODE_SOFT and remove hrtimer_tasklet 2022-01-27 09:04:12 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:08:53 +01:00
core net-sysfs: add check for netdevice being present to speed_show 2022-03-16 13:20:27 +01:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-08 19:04:10 +01:00
dccp dccp: don't duplicate ccid when cloning dccp sock 2021-09-22 11:48:11 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 11:13:48 +02:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:30:24 +02:00
dsa net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup 2021-09-22 11:48:12 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
hsr hsr: use netdev_err() instead of WARN_ONCE() 2021-05-22 10:59:24 +02:00
ieee802154 net: ieee802154: Return meaningful error codes from the netlink helpers 2022-02-08 18:23:16 +01:00
ife
ipv4 gso: do not skip outer ip header in case of ipip and net_failover 2022-03-02 11:38:12 +01:00
ipv6 xfrm: fix MTU regression 2022-03-08 19:04:07 +01:00
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:18:52 +01:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:38:40 +02:00
key af_key: relax availability checks for skb size calculation 2021-02-13 13:51:14 +01:00
l2tp net/l2tp: Fix reference count leak in l2tp_udp_recv_core 2021-09-22 11:48:11 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:21:06 +01:00
llc net: llc: fix skb_over_panic 2021-08-04 12:23:46 +02:00
mac80211 mac80211: fix forwarded mesh frames AC & queue selection 2022-03-08 19:04:08 +01:00
mac802154 net: mac802154: Fix general protection fault 2021-04-14 08:22:36 +02:00
mpls net: mpls: Fix notifications when deleting a device 2021-12-08 08:50:13 +01:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:22:35 +02:00
netfilter netfilter: nf_queue: fix possible use-after-free 2022-03-08 19:04:07 +01:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-22 11:48:09 +02:00
netlink net: netlink: af_netlink: Prevent empty skb by adding a check on len. 2021-12-22 09:19:00 +01:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 11:13:48 +02:00
nfc nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() 2022-01-27 09:04:15 +01:00
nsh
openvswitch openvswitch: Fix setting ipv6 fields causing hw csum failure 2022-03-02 11:38:12 +01:00
packet af_packet: fix data-race in packet_setsockopt / packet_setsockopt 2022-02-08 18:23:13 +01:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 13:58:50 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 09:21:30 +01:00
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 09:58:00 +02:00
rds rds: memory leak in __rds_conn_create() 2021-12-22 09:19:01 +01:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:17:17 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:18:52 +01:00
rxrpc rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() 2021-12-08 08:50:13 +01:00
sched net: sched: limit TC_ACT_REPEAT loops 2022-02-23 11:58:41 +01:00
sctp sctp: fix the processing for INIT_ACK chunk 2022-03-23 09:10:40 +01:00
smc net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server 2022-03-08 19:04:08 +01:00
strparser net: strparser: partially revert "strparser: Call skb_unclone conditionally" 2019-05-16 19:41:27 +02:00
sunrpc rpc: fix gss_svc_init cleanup on failure 2021-09-22 11:48:07 +02:00
switchdev
tipc tipc: Fix end of loop tests for list_for_each_entry() 2022-03-02 11:38:11 +01:00
tls net/tls: Protect from calling tls_dev_del for TLS RX twice 2020-12-08 10:18:52 +01:00
unix af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress 2022-01-27 09:04:32 +01:00
vmw_vsock vsock: remove vsock from connected table when connect is interrupted by a signal 2022-02-23 11:58:39 +01:00
wimax
wireless nl80211: Handle nla_memdup failures in handle_nan_filter 2022-03-08 19:04:09 +01:00
x25 net/x25: Return the correct errno code 2021-06-30 08:48:13 -04:00
xdp xsk: Simplify detection of empty and full rings 2021-05-22 10:59:48 +02:00
xfrm Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0" 2022-03-23 09:10:40 +01:00
compat.c net: Return the correct errno code 2021-06-30 08:48:13 -04:00
Kconfig
Makefile net: split out functions related to registering inflight socket files 2021-07-31 08:22:37 +02:00
socket.c net: don't unconditionally copy_from_user a struct ifreq for socket ioctls 2021-09-03 09:58:03 +02:00
sysctl_net.c