freebsd-skq/sys/netinet/sctp_crc32.c
tuexen e7003e64b0 When the IP layer calls back into the SCTP layer to perform the SCTP
checksum computation, do not assume that the IP header chain and the
SCTP common header are in contiguous memory although the SCTP lays
out the mbuf chains that way. If there are IP-level options inserted
by the IP layer, the constraint is not fulfilled anymore.

This issues was found by running syzkaller. Thanks to markj@ who is
running an instance which also provides kernel dumps. This allowed me
to find this issue.

MFC after:		3 days
2019-09-15 18:29:45 +00:00

148 lines
4.4 KiB
C

/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
* Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
* Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* a) Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* b) Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the distribution.
*
* c) Neither the name of Cisco Systems, Inc. nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_sctp.h"
#include <sys/gsb_crc32.h>
#ifdef SCTP
#include <netinet/sctp_os.h>
#include <netinet/sctp.h>
#include <netinet/sctp_crc32.h>
#include <netinet/sctp_pcb.h>
#else
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <netinet/sctp_crc32.h>
#endif
static uint32_t
sctp_finalize_crc32c(uint32_t crc32c)
{
uint32_t result;
#if BYTE_ORDER == BIG_ENDIAN
uint8_t byte0, byte1, byte2, byte3;
#endif
/* Complement the result */
result = ~crc32c;
#if BYTE_ORDER == BIG_ENDIAN
/*
* For BIG-ENDIAN platforms the result is in little-endian form. So
* we must swap the bytes to return the result in network byte
* order.
*/
byte0 = result & 0x000000ff;
byte1 = (result >> 8) & 0x000000ff;
byte2 = (result >> 16) & 0x000000ff;
byte3 = (result >> 24) & 0x000000ff;
crc32c = ((byte0 << 24) | (byte1 << 16) | (byte2 << 8) | byte3);
#else
/*
* For LITTLE ENDIAN platforms the result is in already in network
* byte order.
*/
crc32c = result;
#endif
return (crc32c);
}
/*
* Compute the SCTP checksum in network byte order for a given mbuf chain m
* which contains an SCTP packet starting at offset.
* Since this function is also called by ipfw, don't assume that
* it is compiled on a kernel with SCTP support.
*/
uint32_t
sctp_calculate_cksum(struct mbuf *m, uint32_t offset)
{
uint32_t base = 0xffffffff;
while (offset > 0) {
KASSERT(m != NULL, ("sctp_calculate_cksum, offset > length of mbuf chain"));
if (offset < (uint32_t)m->m_len) {
break;
}
offset -= m->m_len;
m = m->m_next;
}
if (offset > 0) {
base = calculate_crc32c(base,
(unsigned char *)(m->m_data + offset),
(unsigned int)(m->m_len - offset));
m = m->m_next;
}
while (m != NULL) {
base = calculate_crc32c(base,
(unsigned char *)m->m_data,
(unsigned int)m->m_len);
m = m->m_next;
}
base = sctp_finalize_crc32c(base);
return (base);
}
#ifdef SCTP
/*
* Compute and insert the SCTP checksum in network byte order for a given
* mbuf chain m which contains an SCTP packet starting at offset.
*/
void
sctp_delayed_cksum(struct mbuf *m, uint32_t offset)
{
uint32_t checksum;
checksum = sctp_calculate_cksum(m, offset);
SCTP_STAT_DECR(sctps_sendhwcrc);
SCTP_STAT_INCR(sctps_sendswcrc);
offset += offsetof(struct sctphdr, checksum);
if (offset + sizeof(uint32_t) > (uint32_t)(m->m_pkthdr.len)) {
#ifdef INVARIANTS
panic("sctp_delayed_cksum(): m->m_pkthdr.len: %d, offset: %u.",
m->m_pkthdr.len, offset);
#else
SCTP_PRINTF("sctp_delayed_cksum(): m->m_pkthdr.len: %d, offset: %u.\n",
m->m_pkthdr.len, offset);
#endif
return;
}
m_copyback(m, (int)offset, (int)sizeof(uint32_t), (caddr_t)&checksum);
}
#endif