sctp_is_vtag_good: ipi_ep_mtx already locked #374

weinrank · 2019-09-18T11:50:23Z

INFO: Seed: 1417566624
INFO: Loaded 1 modules   (37952 inline 8-bit counters): 37952 [0x10aee9280, 0x10aef26c0),
INFO: Loaded 1 PC tables (37952 PCs): 37952 [0x10aef26c0,0x10af86ac0),
./fuzzer_connect_multi: Running 1 inputs 1 time(s) each.
Running: ./CORPUS_CONNECT/timeout-00b96dd43f1251438bb44daa0a5a24ae4df5bce5
[0.000] >>>>>>>>>>>>>>>>>>> LLVMFuzzerTestOneInput() - Stage 1
[0.002] [0.002] vrf_id 0x0: adding address: AF_CONN address: 0x1
[0.002] usrsctp initialized
[0.002] SCTP: add HMAC id 1 to list
[0.002] SCTP: added chunk 193 (0xc1) to Auth list
[0.002] SCTP: added chunk 128 (0x80) to Auth list
[0.003] Bind called port: 5000
[0.003] [0.003] Addr: IPv4 address: 0.0.0.0:5000
[0.003] Main hash to bind at head:0x625000000198, bound port:5000 - in tcp_pool=0
[0.003] [0.003] Allocate an association for peer:AF_CONN address: 0x1
[0.003] Port:5001
[0.003] [0.003] Adding an address (from:1) to the peer: AF_CONN address: 0x1
[0.003] Association 0x61d000001480 now allocated
[0.003] Sending INIT
[0.004] Sending INIT - calls lowlevel_output
[0.004] length 104 / sizeof 12
[0.004] Found INIT, extracting VTAG : 1452066971

O 13:42:21.857381 0000 13 88 13 89 00 00 00 00 00 00 00 00 01 00 00 5a 9b c8 8c 56 00 02 00 00 00 0a 08 00 ad 92 b8 9b 80 00 00 04 c0 00 00 04 80 08 00 0b c0 c2 0f c1 80 82 40 00 80 02 00 24 ce b5 79 5e b2 30 cb a4 82 4f 41 6f b7 a9 47 ea 82 61 b4 f0 94 94 f3 7c 9c 85 42 31 a9 d0 91 f4 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 # SCTP_PACKET

I 13:42:21.859727 0000 13 89 13 88 9b c8 8c 56 00 00 00 00 02 00 01 f8 c7 a1 b0 4d 00 1c 71 c7 00 0a ff ff 03 91 94 1b 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 61 6c 7e 52 2a db e0 a2 aa 78 25 1e 12 c5 01 9e 4c 60 16 df 01 6d a1 d5 cd be a7 5d a2 73 f4 1b 80 04 00 08 00 03 00 01 80 03 00 07 00 80 c1 00 00 06 00 14 2a 02 c6 a0 40 15 00 11 00 00 00 00 00 00 00 83 00 05 00 08 d4 c9 79 53 00 07 01 80 4b 41 4d 45 2d 42 53 44 20 31 2e 31 00 00 00 00 64 11 49 00 00 00 00 00 ac de 0c 00 00 00 00 00 60 ea 00 00 00 00 00 00 00 00 00 00 b2 d4 38 45 c7 a1 b0 4d d4 c9 79 52 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 d4 c9 79 53 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 d9 05 13 89 01 01 00 00 00 00 00 00 00 00 00 00 01 00 00 80 45 38 d4 b2 00 1c 71 c7 00 01 ff ff ac 40 9b 94 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 c8 24 46 8c 7e 88 2e b7 88 8b dd a1 55 8b b4 c0 26 e3 21 bb b0 66 fd b2 d4 de f9 77 4f e4 7c bf 80 04 00 08 00 03 00 01 80 03 00 07 00 80 c1 00 00 0c 00 08 00 05 00 06 00 06 00 14 2a 02 c6 a0 40 15 00 11 00 00 00 00 00 00 00 82 00 05 00 08 d4 c9 79 52 02 00 01 f8 c7 a1 b0 4d 00 1c 71 c7 00 01 ff ff 03 91 94 1b 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 61 6c 7e 52 2a db e0 a2 aa 78 25 1e 12 c5 01 9e 4c 60 16 df 01 6d a1 d5 cd be a7 5d a2 73 f4 1b 80 04 00 08 00 03 00 01 80 03 00 07 00 80 c1 00 00 06 00 14 2a 02 c6 a0 40 15 00 11 00 00 00 00 00 00 00 83 00 05 00 08 d4 c9 79 53 64 30 8a b9 7c e5 93 69 52 a9 c8 d5 a1 1b 7d ef ea fa 23 32 # SCTP_PACKET
[0.008] Ok, Common input processing called, m:0x611000000900 iphlen:0 offset:12 length:516 stcb:0x61d000001480
[0.008] stcb:0x61d000001480 state:2
[0.008] sctp_process_control: iphlen=0, offset=12, length=516 stcb:0x61d000001480
[0.008] sctp_process_control: processing a chunk type=2, len=504
[0.008] SCTP_INIT_ACK
[0.008] sctp_handle_init_ack: handling INIT-ACK
[0.008] Check for unrecognized param's
[0.008] Hit default param 8004
[0.008] move on
[0.009] SCTP: add HMAC id 1 to list
[0.009] SCTP: added chunk 0 (0x00) to Auth list
[0.009] SCTP: added chunk 128 (0x80) to Auth list
[0.009] SCTP: added chunk 193 (0xc1) to Auth list
[0.009] SCTP: negotiated peer HMAC id 1
[0.009] moving to COOKIE-ECHOED state
[0.009] Leaving handle-init-ack end

O 13:42:21.862747 0000 13 88 13 89 c7 a1 b0 4d 00 00 00 00 0a 00 01 80 4b 41 4d 45 2d 42 53 44 20 31 2e 31 00 00 00 00 64 11 49 00 00 00 00 00 ac de 0c 00 00 00 00 00 60 ea 00 00 00 00 00 00 00 00 00 00 b2 d4 38 45 c7 a1 b0 4d d4 c9 79 52 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 d4 c9 79 53 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 d9 05 13 89 01 01 00 00 00 00 00 00 00 00 00 00 01 00 00 80 45 38 d4 b2 00 1c 71 c7 00 01 ff ff ac 40 9b 94 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 c8 24 46 8c 7e 88 2e b7 88 8b dd a1 55 8b b4 c0 26 e3 21 bb b0 66 fd b2 d4 de f9 77 4f e4 7c bf 80 04 00 08 00 03 00 01 80 03 00 07 00 80 c1 00 00 0c 00 08 00 05 00 06 00 06 00 14 2a 02 c6 a0 40 15 00 11 00 00 00 00 00 00 00 82 00 05 00 08 d4 c9 79 52 02 00 01 f8 c7 a1 b0 4d 00 1c 71 c7 00 01 ff ff 03 91 94 1b 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 61 6c 7e 52 2a db e0 a2 aa 78 25 1e 12 c5 01 9e 4c 60 16 df 01 6d a1 d5 cd be a7 5d a2 73 f4 1b 80 04 00 08 00 03 00 01 80 03 00 07 00 80 c1 00 00 06 00 14 2a 02 c6 a0 40 15 00 11 00 00 00 00 00 00 00 83 00 05 00 08 d4 c9 79 53 64 30 8a b9 7c e5 93 69 52 a9 c8 d5 a1 1b 7d ef ea fa 23 32 # SCTP_PACKET
[0.009] m-c-o put out 0
[0.009] Ok, we have put out 0 chunks
[0.009] Check for chunk output prw:1864135 tqe:0 tf=0
[0.009] Calling chunk OUTPUT
[0.009] m-c-o put out 0
[0.009] Ok, we have put out 0 chunks
[0.009] chunk OUTPUT returns
[0.009]  >>> Injecting INIT_ACK

I 13:42:21.863027 0000 13 89 13 88 9b c8 8c 56 00 00 00 00 87 02 00 08 9e d0 21 f5 07 00 00 08 9e d0 21 f5 07 00 00 08 9e d0 21 f5 07 00 00 08 9e ad 00 e0 de 07 00 31 b8 b8 00 09 c0 0f b9 80 82 00 00 00 80 02 00 24 40 ea 86 6a 77 f5 36 7b d0 95 d4 45 ba 13 2a 97 b2 f4 3c 4a 17 8f 57 b5 c9 0d e4 2d 64 7a 85 75 82 00 01 00 00 1a 00 80 03 91 9e 7a 00 00 00 00 00 00 00 00 00 02 00 00 00 10 ac 40 32 00 00 00 00 00 02 00 00 00 10 ac 40 31 9b a0 00 1c 00 00 2f 01 51 00 08 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 21 f5 07 00 07 00 00 08 9e 01 00 07 08 7e 4e ff 2f 09 ff ff 0b ea 3d ff f6 ff c6 4c ad 00 e0 de 07 2f ff ff ff ff ff ff ff 48 d6 d4 68 68 68 68 68 68 00 07 49 ff ff ff ff 08 9e 32 21 f5 01 00 11 00 80 03 ff fd ff ff ff 01 e3 94 db 57 00 ff ff 09 01 00 27 00 06 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 03 fd 5c d0 00 06 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 01 00 00 00 5d 80 f3 a5 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 c0 21 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 03 fd 5c d0 00 06 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 01 00 00 00 5d 80 f3 a5 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 c0 21 00 00 00 00 00 00 00 00 01 00 00 00 5d 80 f3 a5 00 00 00 00 00 00 00 36 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 03 fd 5c d0 00 06 00 08 09 01 00 27 00 b0 00 08 9e d0 3f 21 00 00 00 00 00 01 00 00 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 03 fd 5c d0 00 06 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 01 00 00 00 5d 80 f3 a5 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 c0 41 e6 35 00 40 61 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 03 fd 5c d0 00 06 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 01 00 00 00 5d 80 f3 a5 00 00 00 00 00 00 00 33 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 c0 21 00 00 00 00 00 00 00 00 01 00 00 00 5d 80 f3 a5 00 00 00 00 00 00 00 36 00 00 08 09 01 00 27 00 b1 00 08 9e d0 c0 21 00 00 00 00 00 00 00 00 00 80 f3 a5 00 00 00 00 00 00 00 31 00 00 8e 8e 00 00 21 00 00 00 00 00 ff ff ff f6 a4 a4 a4 00 00 00 00 # SCTP_PACKET
[0.010] Ok, Common input processing called, m:0x6110000016c0 iphlen:0 offset:12 length:1007 stcb:0x61d000001480
[0.010] stcb:0x61d000001480 state:4
[0.010] sctp_process_control: iphlen=0, offset=12, length=1007 stcb:0x61d000001480
[0.010] sctp_process_control: processing a chunk type=135, len=8
[0.010] sctp_process_control: processing a chunk type=7, len=8
[0.010] SCTP_SHUTDOWN, stcb 0x61d000001480
[0.010] sctp_handle_shutdown: handling SHUTDOWN
[0.010] sctp_process_control: processing a chunk type=7, len=8
[0.010] SCTP_SHUTDOWN, stcb 0x61d000001480
[0.010] sctp_handle_shutdown: handling SHUTDOWN
[0.010] sctp_process_control: processing a chunk type=7, len=8
[0.010] SCTP_SHUTDOWN, stcb 0x61d000001480
[0.010] sctp_handle_shutdown: handling SHUTDOWN
[0.010] sctp_process_control: processing a chunk type=222, len=49
[0.010] sctp_process_control: processing a chunk type=130, len=256
[0.010] SCTP_STREAM_RESET
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Peer does not support chunk type 9 (0x9).
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
  1 #!/bin/bash
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received missing state abort flags: 1
[0.010] sctp_asconf_send_nat_state_update: unknown address family
[0.010] sctp_process_control: processing a chunk type=9, len=39
[0.010] SCTP_OP_ERR
[0.010] Received Colliding state abort flags: 1
[0.010] [0.010] [0.010] sctp_is_vtag_good(): sctp_is_vtag_good: ipi_ep_mtx already locked
==66290== ERROR: libFuzzer: deadly signal
    #0 0x10c2deab7 in __sanitizer_print_stack_trace (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6aab7)
    #1 0x10ac02bb8 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:206
    #2 0x10abe2328 in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:237
    #3 0x10abe22ef in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:209
    #4 0x7fff75bdab5c in _sigtramp (libsystem_platform.dylib:x86_64+0x4b5c)
    #5 0x1fffdcbac307  (<unknown module>)
    #6 0x7fff75a946a5 in abort (libsystem_c.dylib:x86_64+0x5b6a5)
    #7 0x10a534246 in terminate_non_graceful user_environment.h:94
    #8 0x10a6a7c33 in sctp_is_vtag_good sctp_pcb.c:7833
    #9 0x10a9955ff in sctp_select_a_tag sctputil.c:981
    #10 0x10a217b21 in sctp_handle_nat_colliding_state sctp_input.c:813
    #11 0x10a1ba650 in sctp_handle_error sctp_input.c:1276
    #12 0x10a182a79 in sctp_process_control sctp_input.c:5280
    #13 0x10a15b815 in sctp_common_input_processing sctp_input.c:5898
    #14 0x10abc2049 in usrsctp_conninput user_socket.c:3518
    #15 0x109e9b74d in LLVMFuzzerTestOneInput fuzzer_connect.c:438
    #16 0x10abe36e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:533
    #17 0x10abd6f61 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:280
    #18 0x10abdbddb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:709
    #19 0x10ac03ea2 in main FuzzerMain.cpp:20
    #20 0x7fff759ef3d4 in start (libdyld.dylib:x86_64+0x163d4)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

PCAP: sctp_is_vtag_good.pcapng.zip

Reproduce

git clone https://github.com/weinrank/usrsctp --branch fuzzer-connected --single-branch
cd usrsctp
./build-fuzzer.sh
cd fuzzer
./fuzzer_connect_multi ./CORPUS_CONNECT/timeout-00b96dd43f1251438bb44daa0a5a24ae4df5bce5

The text was updated successfully, but these errors were encountered:

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing.

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in #374 He found this bug using fuzz testing.

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing.

tuexen · 2019-09-22T11:16:06Z

@weinrank: I think 2caf696 should fix this issue. Please retest and report.

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFC after: 3 days

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFC after: 3 days git-svn-id: svn+ssh://svn.freebsd.org/base/head@352594 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

weinrank · 2019-09-22T21:08:29Z

Fixed!

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFC after: 3 days git-svn-id: https://svn.freebsd.org/base/head@352594 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing.

Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. git-svn-id: https://svn.freebsd.org/base/stable/12@352676 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Only allow a SCTP-AUTH shared key to be updated by the application if it is not deactivated and not used. This avoids a use-after-free problem. MFS r352674: Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFS r352675: Cleanup the RTO calculation and perform some consistency checks before computing the RTO. This should fix an overflow issue reported by Felix Weinrank in sctplab/usrsctp#375 for the userland stack and found by running a fuzz tester. MFS r352676: Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFS r353034: Plumb a memory leak. Thanks to Felix Weinrank for finding this issue using fuzz testing and reporting it for the userland stack: sctplab/usrsctp#378 MFS r353036: Don't use stack memory which is not initialized. Thanks to Mark Wodrich for reporting this issue for the userland stack in sctplab/usrsctp#380 This issue was also found for usrsctp by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778 Approved by: re (kib@)

Only allow a SCTP-AUTH shared key to be updated by the application if it is not deactivated and not used. This avoids a use-after-free problem. MFS r352674: Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFS r352675: Cleanup the RTO calculation and perform some consistency checks before computing the RTO. This should fix an overflow issue reported by Felix Weinrank in sctplab/usrsctp#375 for the userland stack and found by running a fuzz tester. MFS r352676: Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFS r353034: Plumb a memory leak. Thanks to Felix Weinrank for finding this issue using fuzz testing and reporting it for the userland stack: sctplab/usrsctp#378 MFS r353036: Don't use stack memory which is not initialized. Thanks to Mark Wodrich for reporting this issue for the userland stack in sctplab/usrsctp#380 This issue was also found for usrsctp by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778 Approved by: re (kib@) git-svn-id: https://svn.freebsd.org/base/releng/12.1@353045 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFC after: 3 days

Only allow a SCTP-AUTH shared key to be updated by the application if it is not deactivated and not used. This avoids a use-after-free problem. MFS r352674: Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFS r352675: Cleanup the RTO calculation and perform some consistency checks before computing the RTO. This should fix an overflow issue reported by Felix Weinrank in sctplab/usrsctp#375 for the userland stack and found by running a fuzz tester. MFS r352676: Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. MFS r353034: Plumb a memory leak. Thanks to Felix Weinrank for finding this issue using fuzz testing and reporting it for the userland stack: sctplab/usrsctp#378 MFS r353036: Don't use stack memory which is not initialized. Thanks to Mark Wodrich for reporting this issue for the userland stack in sctplab/usrsctp#380 This issue was also found for usrsctp by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778 Approved by: re (kib@)

Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing.

Don't hold the info lock when calling sctp_select_a_tag(). This avoids a double lock bug in the NAT colliding state processing of SCTP. Thanks to Felix Weinrank for finding and reporting this issue in sctplab/usrsctp#374 He found this bug using fuzz testing. git-svn-id: https://svn.freebsd.org/base/stable/11@360736 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

tuexen self-assigned this Sep 22, 2019

tuexen added the bug label Sep 22, 2019

weinrank closed this as completed Sep 22, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sctp_is_vtag_good: ipi_ep_mtx already locked #374

sctp_is_vtag_good: ipi_ep_mtx already locked #374

weinrank commented Sep 18, 2019

tuexen commented Sep 22, 2019

weinrank commented Sep 22, 2019

sctp_is_vtag_good: ipi_ep_mtx already locked #374

sctp_is_vtag_good: ipi_ep_mtx already locked #374

Comments

weinrank commented Sep 18, 2019

Reproduce

tuexen commented Sep 22, 2019

weinrank commented Sep 22, 2019