From 0d7b7b74c6015a068c410238295e0e7304af6a29 Mon Sep 17 00:00:00 2001 From: Michael Tuexen Date: Wed, 29 Jul 2020 13:36:37 +0000 Subject: [WebRTC] Stop putting addresses in the cookie chunk. When using AF_CONN addresses, don't put these in the COOKIE chunk. For these addresses it is possible to reconstruct them locally. Conceptually, addresses are something to be shared with the peer, but in the case of AF_CONN this might not be the case. Therefore, zero then out. Thanks to Natalie Silvanovich of Google Project Zero for finding and reporting the issue. --- netwerk/sctp/src/netinet/sctp_output.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'netwerk/sctp/src/netinet/sctp_output.c') diff --git a/netwerk/sctp/src/netinet/sctp_output.c b/netwerk/sctp/src/netinet/sctp_output.c index 49447fa9d..3f1a9525d 100755 --- a/netwerk/sctp/src/netinet/sctp_output.c +++ b/netwerk/sctp/src/netinet/sctp_output.c @@ -6492,6 +6492,27 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb, (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)], SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr), (uint8_t *)signature, SCTP_SIGNATURE_SIZE); +#if defined(__Userspace__) + /* + * Don't put AF_CONN addresses on the wire, in case this is critical + * for the application. However, they are protected by the HMAC and + * need to be reconstructed before checking the HMAC. + * Clearing is only done in the mbuf chain, since the local stc is + * not used anymore. + */ + if (stc.addr_type == SCTP_CONN_ADDRESS) { + const void *p = NULL; + + m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, address), + (int)sizeof(void *), (caddr_t)&p); + } + if (stc.laddr_type == SCTP_CONN_ADDRESS) { + const void *p = NULL; + + m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, laddress), + (int)sizeof(void *), (caddr_t)&p); + } +#endif /* * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return * here since the timer will drive a retranmission. -- cgit v1.2.3