[Lksctp-developers] Kernel panic on receipt of icmp_proto_unreachable

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

As we were working on a port of traceproto to SCTP, we discovered a  
potential NULL pointer dereference in the icmp_proto_unreachable  
function.

The problem happens when a host supporting SCTP receives an icmp  
protocol unreachable message before it  initiates the association. We  
discovered this because traceproto uses libnet to send SCTP packets  
directly over a raw socket without going through the SCTP socket  
creation.

Upon reception of the icmp packet, the icmp_unreach hands the skb to  
sctp_v4_err. There, the sctp_err_lookup function does not find any  
association. As a consequence, the sctp_icmp_proto_unreachble  
function is called with its asoc parameter set to NULL. This causes a  
kernel panic when the asoc pointer is dereferenced pointer in the  
call to the sctp_do_sm function.

This is a serious bug as anyone could forge those packets and crash  
any SCTP enabled kernel over the network with only 1 packet.

The quick fix/patch I attached to this email simply checks if asoc is  
NULL. If it is, we call sctp_do_sm avoiding the dereference and  
assume the state is SCTP_STATE_CLOSED.