• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved.
3  *
4  * Regression test-case for the crash caused by over-sized SCTP chunk,
5  * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new
6  * chunk in _sctp_make_chunk()")
7  */
8 
9 #include <stdlib.h>
10 #include <unistd.h>
11 #include <sys/types.h>
12 #include <sys/socket.h>
13 #include <netinet/in.h>
14 #include <netinet/ip.h>
15 #include <netinet/ip6.h>
16 #include <netdb.h>
17 #include <sys/syscall.h>
18 
19 #include "tst_test.h"
20 #include "tst_safe_stdio.h"
21 #include "tst_checksum.h"
22 #include "lapi/netinet_in.h"
23 #include "lapi/socket.h"
24 #include "lapi/sctp.h"
25 
26 static int port;
27 static int sfd, cfd;
28 static struct sockaddr_in6 rmt, loc;
29 
30 static uint8_t packet[IP_MAXPACKET];
31 static int pkt_len;
32 static char *addr_param;
33 static int addr_num = 3273;
34 
setup_server(void)35 static void setup_server(void)
36 {
37 	loc.sin6_family = AF_INET6;
38 	loc.sin6_addr = in6addr_loopback;
39 
40 	sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
41 	SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc));
42 
43 	port = TST_GETSOCKPORT(sfd);
44 	tst_res(TINFO, "sctp server listen on %d", port);
45 
46 	SAFE_LISTEN(sfd, 1);
47 
48 	srand(port);
49 }
50 
update_packet_field(size_t * off,void * buf,size_t buf_len)51 static void update_packet_field(size_t *off, void *buf, size_t buf_len)
52 {
53 	memcpy(packet + *off, buf, buf_len);
54 	*off += buf_len;
55 }
56 
setup_client(void)57 static void setup_client(void)
58 {
59 	struct ip6_hdr ip6;
60 	const size_t ip6_hdr_len = sizeof(ip6);
61 	size_t cmn_hdr_off;
62 	size_t off;
63 	int i;
64 
65 	memset(&ip6, 0, sizeof(ip6));
66 	ip6.ip6_flow = htonl(6 << 28 | 2 << 20);
67 	ip6.ip6_hops = 64;
68 	ip6.ip6_nxt = IPPROTO_SCTP;
69 	ip6.ip6_src.s6_addr[15] = 1;
70 	ip6.ip6_dst.s6_addr[15] = 1;
71 	rmt.sin6_family = AF_INET6;
72 	rmt.sin6_addr = in6addr_loopback;
73 
74 	/* SCTP common header */
75 	off = ip6_hdr_len;
76 
77 	uint16_t src_port = htons(port - 1);
78 	uint16_t dst_port = htons(port);
79 	uint32_t vtag = 0;
80 	uint32_t checksum = 0;
81 
82 	update_packet_field(&off, &src_port, 2);
83 	update_packet_field(&off, &dst_port, 2);
84 	update_packet_field(&off, &vtag, 4);
85 	update_packet_field(&off, &checksum, 4);
86 	cmn_hdr_off = off;
87 
88 	/* SCTP INIT chunk */
89 	uint16_t chunk_len;
90 
91 	packet[off++] = 1;
92 	packet[off++] = 0;
93 	off += 2; /* chunk length, will be set in the end */
94 
95 	uint32_t init_tag = rand();
96 	uint32_t rwnd = htonl(106496);
97 	uint16_t outs = htons(10);
98 	uint16_t ins = htons(65535);
99 	uint32_t init_tsn = rand();
100 
101 	update_packet_field(&off, &init_tag, 4);
102 	update_packet_field(&off, &rwnd, 4);
103 	update_packet_field(&off, &outs, 2);
104 	update_packet_field(&off, &ins, 2);
105 	update_packet_field(&off, &init_tsn, 4);
106 
107 	/* SCTP optional parameter for IPv6 addresses */
108 	uint16_t param_type = htons(6);
109 	uint16_t param_len = htons(20);
110 
111 	/* IPv6(40) + SCTP_COMMON(12) + SCTP_CHUNK(20) + SCTP_OPT(65460)) */
112 	for (i = 0; i < addr_num; ++i) {
113 		update_packet_field(&off, &param_type, 2);
114 		update_packet_field(&off, &param_len, 2);
115 		packet[off + 15] = 1;
116 		off += 16;
117 	}
118 	pkt_len = off;
119 
120 	tst_res(TINFO, "set chunk length %zu", pkt_len - cmn_hdr_off);
121 	chunk_len = htons(pkt_len - cmn_hdr_off);
122 	memcpy(packet + cmn_hdr_off + 2, &chunk_len, 2);
123 
124 	/* set checksum for SCTP: common header + INIT chunk */
125 	uint32_t csum = tst_crc32c(packet + ip6_hdr_len, pkt_len - ip6_hdr_len);
126 
127 	memcpy(packet + ip6_hdr_len + 8, &csum, 4);
128 
129 	ip6.ip6_plen = htons(pkt_len - ip6_hdr_len);
130 	memcpy(packet, &ip6, ip6_hdr_len);
131 
132 	cfd = SAFE_SOCKET(AF_INET6, SOCK_RAW, IPPROTO_RAW);
133 }
134 
135 static const char mtu_path[] = "/sys/class/net/lo/mtu";
136 static const unsigned int max_mtu = 65535;
137 static unsigned int mtu;
138 
setup(void)139 static void setup(void)
140 {
141 	if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
142 		tst_brk(TBROK, "wrong address number '%s'", addr_param);
143 
144 	/* We don't fragment IPv6 packet here yet, check that MTU is 65535 */
145 	SAFE_FILE_SCANF(mtu_path, "%d", &mtu);
146 	if (mtu < max_mtu)
147 		tst_brk(TCONF, "Test needs that 'lo' MTU has %d", max_mtu);
148 
149 	setup_server();
150 	setup_client();
151 }
152 
run(void)153 static void run(void)
154 {
155 	int pid = SAFE_FORK();
156 
157 	if (!pid) {
158 		struct sockaddr_in6 addr6;
159 		socklen_t addr_size = sizeof(addr6);
160 
161 		if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0)
162 			tst_brk(TBROK | TERRNO, "accept() failed");
163 		exit(0);
164 	}
165 
166 	SAFE_SENDTO(1, cfd, packet, pkt_len, 0, (struct sockaddr *)&rmt,
167 		    sizeof(rmt));
168 
169 	SAFE_KILL(pid, SIGKILL);
170 	SAFE_WAITPID(pid, NULL, 0);
171 
172 	tst_res(TPASS, "test doesn't cause crash");
173 }
174 
175 static struct tst_option options[] = {
176 	{"a:", &addr_param, "-a       number of additional IP address params"},
177 	{NULL, NULL, NULL}
178 };
179 
180 static struct tst_test test = {
181 	.needs_root = 1,
182 	.setup = setup,
183 	.forks_child = 1,
184 	.test_all = run,
185 	.options = options,
186 	.tags = (const struct tst_tag[]) {
187 		{"CVE", "2018-5803"},
188 		{"linux-git", "07f2c7ab6f8d"},
189 		{}
190 	}
191 };
192