summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@fh-muenster.de>2020-07-29 13:36:37 +0000
committerMoonchild <moonchild@palemoon.org>2020-07-29 13:36:37 +0000
commit9d155b45c7b95e99777278a22d91817f034ae5d9 (patch)
tree307b7a83e57cf313b1e597a1ab7f0df20f8f42d8
parente655ce397db3085a135f88b18dada46fd8e82a17 (diff)
downloadUXP-9d155b45c7b95e99777278a22d91817f034ae5d9.tar
UXP-9d155b45c7b95e99777278a22d91817f034ae5d9.tar.gz
UXP-9d155b45c7b95e99777278a22d91817f034ae5d9.tar.lz
UXP-9d155b45c7b95e99777278a22d91817f034ae5d9.tar.xz
UXP-9d155b45c7b95e99777278a22d91817f034ae5d9.zip
[WebRTC] Stop putting addresses in the cookie chunk.
When using AF_CONN addresses, don't put these in the COOKIE chunk. For these addresses it is possible to reconstruct them locally. Conceptually, addresses are something to be shared with the peer, but in the case of AF_CONN this might not be the case. Therefore, zero then out. Thanks to Natalie Silvanovich of Google Project Zero for finding and reporting the issue.
-rwxr-xr-xnetwerk/sctp/src/netinet/sctp_input.c21
-rwxr-xr-xnetwerk/sctp/src/netinet/sctp_output.c21
2 files changed, 42 insertions, 0 deletions
diff --git a/netwerk/sctp/src/netinet/sctp_input.c b/netwerk/sctp/src/netinet/sctp_input.c
index 1301b430c..f469e0f5c 100755
--- a/netwerk/sctp/src/netinet/sctp_input.c
+++ b/netwerk/sctp/src/netinet/sctp_input.c
@@ -2517,6 +2517,27 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
/* cookie too small */
return (NULL);
}
+#if defined(__Userspace__)
+ /*
+ * Recover the AF_CONN addresses within the cookie.
+ * This needs to be done in the buffer provided for later processing
+ * of the cookie and in the mbuf chain for HMAC validation.
+ */
+ if ((cookie->addr_type == SCTP_CONN_ADDRESS) && (src->sa_family == AF_CONN)) {
+ struct sockaddr_conn *sconnp = (struct sockaddr_conn *)src;
+
+ memcpy(cookie->address, &sconnp->sconn_addr , sizeof(void *));
+ m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, address),
+ (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
+ }
+ if ((cookie->laddr_type == SCTP_CONN_ADDRESS) && (dst->sa_family == AF_CONN)) {
+ struct sockaddr_conn *sconnp = (struct sockaddr_conn *)dst;
+
+ memcpy(cookie->laddress, &sconnp->sconn_addr , sizeof(void *));
+ m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, laddress),
+ (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
+ }
+#endif
/*
* split off the signature into its own mbuf (since it should not be
* calculated in the sctp_hmac_m() call).
diff --git a/netwerk/sctp/src/netinet/sctp_output.c b/netwerk/sctp/src/netinet/sctp_output.c
index 49447fa9d..3f1a9525d 100755
--- a/netwerk/sctp/src/netinet/sctp_output.c
+++ b/netwerk/sctp/src/netinet/sctp_output.c
@@ -6492,6 +6492,27 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
(uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
(uint8_t *)signature, SCTP_SIGNATURE_SIZE);
+#if defined(__Userspace__)
+ /*
+ * Don't put AF_CONN addresses on the wire, in case this is critical
+ * for the application. However, they are protected by the HMAC and
+ * need to be reconstructed before checking the HMAC.
+ * Clearing is only done in the mbuf chain, since the local stc is
+ * not used anymore.
+ */
+ if (stc.addr_type == SCTP_CONN_ADDRESS) {
+ const void *p = NULL;
+
+ m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, address),
+ (int)sizeof(void *), (caddr_t)&p);
+ }
+ if (stc.laddr_type == SCTP_CONN_ADDRESS) {
+ const void *p = NULL;
+
+ m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, laddress),
+ (int)sizeof(void *), (caddr_t)&p);
+ }
+#endif
/*
* We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
* here since the timer will drive a retranmission.