022152aaeb
When it returns an error from sctp_auth_asoc_init_active_key(), the
active_key is actually not updated. The old sh_key will be freeed
while it's still used as active key in asoc. Then an use-after-free
will be triggered when sending patckets, as found by syzbot:
sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
sctp_set_owner_w net/sctp/socket.c:132 [inline]
sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
This patch is to fix it by not replacing the sh_key when it returns
errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
For sctp_auth_set_active_key(), old active_key_id will be set back
to asoc->active_key_id when the same thing happens.
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| associola.c | ||
| auth.c | ||
| bind_addr.c | ||
| chunk.c | ||
| debug.c | ||
| diag.c | ||
| endpointola.c | ||
| input.c | ||
| inqueue.c | ||
| ipv6.c | ||
| objcnt.c | ||
| offload.c | ||
| output.c | ||
| outqueue.c | ||
| primitive.c | ||
| proc.c | ||
| protocol.c | ||
| sm_make_chunk.c | ||
| sm_sideeffect.c | ||
| sm_statefuns.c | ||
| sm_statetable.c | ||
| socket.c | ||
| stream.c | ||
| stream_interleave.c | ||
| stream_sched.c | ||
| stream_sched_prio.c | ||
| stream_sched_rr.c | ||
| sysctl.c | ||
| transport.c | ||
| tsnmap.c | ||
| ulpevent.c | ||
| ulpqueue.c | ||