<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux-stable.git/net/sctp, branch linux-3.7.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/atom?h=linux-3.7.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/atom?h=linux-3.7.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/'/>
<updated>2013-02-14T18:48:34+00:00</updated>
<entry>
<title>net: sctp: sctp_endpoint_free: zero out secret key data</title>
<updated>2013-02-14T18:48:34+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2013-02-08T03:04:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=3cea56174bd3d79f8bb9ec500dfc95c4660a6ca9'/>
<id>urn:sha1:3cea56174bd3d79f8bb9ec500dfc95c4660a6ca9</id>
<content type='text'>
[ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ]

On sctp_endpoint_destroy, previously used sensitive keying material
should be zeroed out before the memory is returned, as we already do
with e.g. auth keys when released.

Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree</title>
<updated>2013-02-14T18:48:33+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2013-02-08T03:04:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=86e4935c889c0e4aadd3f7cf86a22ea09f959600'/>
<id>urn:sha1:86e4935c889c0e4aadd3f7cf86a22ea09f959600</id>
<content type='text'>
[ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ]

In sctp_setsockopt_auth_key, we create a temporary copy of the user
passed shared auth key for the endpoint or association and after
internal setup, we free it right away. Since it's sensitive data, we
should zero out the key before returning the memory back to the
allocator. Thus, use kzfree instead of kfree, just as we do in
sctp_auth_key_put().

Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>sctp: refactor sctp_outq_teardown to insure proper re-initalization</title>
<updated>2013-02-14T18:48:33+00:00</updated>
<author>
<name>Neil Horman</name>
<email>nhorman@tuxdriver.com</email>
</author>
<published>2013-01-17T11:15:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=2a64537939d88f55564c276c61b5c4660636d9d0'/>
<id>urn:sha1:2a64537939d88f55564c276c61b5c4660636d9d0</id>
<content type='text'>
[ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ]

Jamie Parsons reported a problem recently, in which the re-initalization of an
association (The duplicate init case), resulted in a loss of receive window
space.  He tracked down the root cause to sctp_outq_teardown, which discarded
all the data on an outq during a re-initalization of the corresponding
association, but never reset the outq-&gt;outstanding_data field to zero.  I wrote,
and he tested this fix, which does a proper full re-initalization of the outq,
fixing this problem, and hopefully future proofing us from simmilar issues down
the road.

Signed-off-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Reported-by: Jamie Parsons &lt;Jamie.Parsons@metaswitch.com&gt;
Tested-by: Jamie Parsons &lt;Jamie.Parsons@metaswitch.com&gt;
CC: Jamie Parsons &lt;Jamie.Parsons@metaswitch.com&gt;
CC: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
CC: "David S. Miller" &lt;davem@davemloft.net&gt;
CC: netdev@vger.kernel.org
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>sctp: jsctp_sf_eat_sack: fix jprobes function signature mismatch</title>
<updated>2013-01-11T17:18:52+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2012-12-15T10:12:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=b5810b8da2248adc73a1bf3def752d99beb87cca'/>
<id>urn:sha1:b5810b8da2248adc73a1bf3def752d99beb87cca</id>
<content type='text'>
[ Upstream commit 4cb9d6eaf85ecdd266a9a5c6d825c56ca9eefc14 ]

Commit 24cb81a6a (sctp: Push struct net down into all of the
state machine functions) introduced the net structure into all
state machine functions, but jsctp_sf_eat_sack was not updated,
hence when SCTP association probing is enabled in the kernel,
any simple SCTP client/server program from userspace will panic
the kernel.

Cc: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>sctp: Error in calculation of RTTvar</title>
<updated>2012-11-28T16:13:40+00:00</updated>
<author>
<name>Schoch Christian</name>
<email>e0326715@student.tuwien.ac.at</email>
</author>
<published>2012-11-28T05:18:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=92d64c261e77cb2a6117887617e2a629fea6b67c'/>
<id>urn:sha1:92d64c261e77cb2a6117887617e2a629fea6b67c</id>
<content type='text'>
The calculation of RTTVAR involves the subtraction of two unsigned
numbers which
may causes rollover and results in very high values of RTTVAR when RTT &gt; SRTT.
With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at
4 times the clock granularity.

Change Notes:

v2)
        *Replaced abs() by abs64() and long by __s64, changed patch
description.

Signed-off-by: Christian Schoch &lt;e0326715@student.tuwien.ac.at&gt;
CC: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
CC: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
CC: Neil Horman &lt;nhorman@tuxdriver.com&gt;
CC: linux-sctp@vger.kernel.org
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall</title>
<updated>2012-11-28T16:11:17+00:00</updated>
<author>
<name>Tommi Rantala</name>
<email>tt.rantala@gmail.com</email>
</author>
<published>2012-11-22T03:23:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6e51fe7572590d8d86e93b547fab6693d305fd0d'/>
<id>urn:sha1:6e51fe7572590d8d86e93b547fab6693d305fd0d</id>
<content type='text'>
Consider the following program, that sets the second argument to the
sendto() syscall incorrectly:

 #include &lt;string.h&gt;
 #include &lt;arpa/inet.h&gt;
 #include &lt;sys/socket.h&gt;

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd &lt; 0)
                 return 1;

         memset(&amp;sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&amp;sa, sizeof(sa));

         return 0;
 }

We get -ENOMEM:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)

Propagate the error code from sctp_user_addto_chunk(), so that we will
tell user space what actually went wrong:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)

Noticed while running Trinity (the syscall fuzzer).

Signed-off-by: Tommi Rantala &lt;tt.rantala@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails</title>
<updated>2012-11-28T16:10:09+00:00</updated>
<author>
<name>Tommi Rantala</name>
<email>tt.rantala@gmail.com</email>
</author>
<published>2012-11-27T04:01:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=be364c8c0f17a3dd42707b5a090b318028538eb9'/>
<id>urn:sha1:be364c8c0f17a3dd42707b5a090b318028538eb9</id>
<content type='text'>
Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:

 #include &lt;string.h&gt;
 #include &lt;arpa/inet.h&gt;
 #include &lt;sys/socket.h&gt;

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd &lt; 0)
                 return 1;

         memset(&amp;sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&amp;sa, sizeof(sa));

         return 0;
 }

As far as I can tell, the leak has been around since ~2003.

Signed-off-by: Tommi Rantala &lt;tt.rantala@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>sctp: fix /proc/net/sctp/ memory leak</title>
<updated>2012-11-15T18:56:05+00:00</updated>
<author>
<name>Tommi Rantala</name>
<email>tt.rantala@gmail.com</email>
</author>
<published>2012-11-15T03:49:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=0da9a0c2638c8476b4a5021841912f249e3187dc'/>
<id>urn:sha1:0da9a0c2638c8476b4a5021841912f249e3187dc</id>
<content type='text'>
Commit 13d782f ("sctp: Make the proc files per network namespace.")
changed the /proc/net/sctp/ struct file_operations opener functions to
use single_open_net() and seq_open_net().

Avoid leaking memory by using single_release_net() and seq_release_net()
as the release functions.

Discovered with Trinity (the syscall fuzzer).

Signed-off-by: Tommi Rantala &lt;tt.rantala@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Cc: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: sctp: Fix typo in net/sctp</title>
<updated>2012-11-01T15:55:19+00:00</updated>
<author>
<name>Masanari Iida</name>
<email>standby24x7@gmail.com</email>
</author>
<published>2012-10-31T05:48:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d3e9a1dc7c34c3c5a253091289a54883bf27f6ba'/>
<id>urn:sha1:d3e9a1dc7c34c3c5a253091289a54883bf27f6ba</id>
<content type='text'>
Correct spelling typo in net/sctp/socket.c

Signed-off-by: Masanari Iida &lt;standby24x7@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()</title>
<updated>2012-10-16T18:41:46+00:00</updated>
<author>
<name>Zijie Pan</name>
<email>zijie.pan@6wind.com</email>
</author>
<published>2012-10-15T03:56:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=f6e80abeab928b7c47cc1fbf53df13b4398a2bec'/>
<id>urn:sha1:f6e80abeab928b7c47cc1fbf53df13b4398a2bec</id>
<content type='text'>
Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839
(sctp: check src addr when processing SACK to update transport state)

Signed-off-by: Zijie Pan &lt;zijie.pan@6wind.com&gt;
Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
</feed>
