From: Charles-Henri de B. <cd...@st...> - 2005-06-29 22:17:28
|
Hi, As we were working on a port of traceproto to SCTP, we discovered a potential NULL pointer dereference in the icmp_proto_unreachable function. The problem happens when a host supporting SCTP receives an icmp protocol unreachable message before it initiates the association. We discovered this because traceproto uses libnet to send SCTP packets directly over a raw socket without going through the SCTP socket creation. Upon reception of the icmp packet, the icmp_unreach hands the skb to sctp_v4_err. There, the sctp_err_lookup function does not find any association. As a consequence, the sctp_icmp_proto_unreachble function is called with its asoc parameter set to NULL. This causes a kernel panic when the asoc pointer is dereferenced pointer in the call to the sctp_do_sm function. This is a serious bug as anyone could forge those packets and crash any SCTP enabled kernel over the network with only 1 packet. The quick fix/patch I attached to this email simply checks if asoc is NULL. If it is, we call sctp_do_sm avoiding the dereference and assume the state is SCTP_STATE_CLOSED. |