summaryrefslogtreecommitdiffstats
path: root/net/sctp/auth.c
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2014-11-10 18:00:09 +0100
committerLuis Henriques <luis.henriques@canonical.com>2014-11-27 11:21:56 +0000
commit6bd693b534e77532f621021597bcc3a6f924ff00 (patch)
tree452abfc05dec86ffb2397b13d811d6a2aad70d26 /net/sctp/auth.c
parent1cfecc6bca7a8a81ded208b5b2e0a56a6b52ad9a (diff)
downloadlinux-stable-6bd693b534e77532f621021597bcc3a6f924ff00.tar.gz
linux-stable-6bd693b534e77532f621021597bcc3a6f924ff00.tar.bz2
linux-stable-6bd693b534e77532f621021597bcc3a6f924ff00.zip
net: sctp: fix memory leak in auth key management
commit 4184b2a79a7612a9272ce20d639934584a1f3786 upstream. A very minimal and simple user space application allocating an SCTP socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing the socket again will leak the memory containing the authentication key from user space: unreferenced object 0xffff8800837047c0 (size 16): comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s) hex dump (first 16 bytes): 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811c88d8>] __kmalloc+0xe8/0x270 [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp] [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp] [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp] [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20 [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0 [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17 [<ffffffffffffffff>] 0xffffffffffffffff This is bad because of two things, we can bring down a machine from user space when auth_enable=1, but also we would leave security sensitive keying material in memory without clearing it after use. The issue is that sctp_auth_create_key() already sets the refcount to 1, but after allocation sctp_auth_set_key() does an additional refcount on it, and thus leaving it around when we free the socket. Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Diffstat (limited to 'net/sctp/auth.c')
-rw-r--r--net/sctp/auth.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 0e8529113dc5..fb7976aee61c 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -862,8 +862,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
list_add(&cur_key->key_list, sh_keys);
cur_key->key = key;
- sctp_auth_key_hold(key);
-
return 0;
nomem:
if (!replace)