1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved. 3 * 4 * Regression test-case for the crash caused by over-sized SCTP chunk, 5 * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new 6 * chunk in _sctp_make_chunk()") 7 */ 8 9 #include <stdlib.h> 10 #include <unistd.h> 11 #include <sys/types.h> 12 #include <sys/socket.h> 13 #include <netinet/in.h> 14 #include <netinet/ip.h> 15 #include <netinet/ip6.h> 16 #include <netdb.h> 17 #include <sys/syscall.h> 18 19 #include "tst_test.h" 20 #include "tst_safe_stdio.h" 21 #include "tst_checksum.h" 22 #include "lapi/netinet_in.h" 23 #include "lapi/socket.h" 24 #include "lapi/sctp.h" 25 26 static int port; 27 static int sfd, cfd; 28 static struct sockaddr_in6 rmt, loc; 29 30 static uint8_t packet[IP_MAXPACKET]; 31 static int pkt_len; 32 static char *addr_param; 33 static int addr_num = 3273; 34 35 static void setup_server(void) 36 { 37 loc.sin6_family = AF_INET6; 38 loc.sin6_addr = in6addr_loopback; 39 40 sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP); 41 SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc)); 42 43 port = TST_GETSOCKPORT(sfd); 44 tst_res(TINFO, "sctp server listen on %d", port); 45 46 SAFE_LISTEN(sfd, 1); 47 48 srand(port); 49 } 50 51 static void update_packet_field(size_t *off, void *buf, size_t buf_len) 52 { 53 memcpy(packet + *off, buf, buf_len); 54 *off += buf_len; 55 } 56 57 static void setup_client(void) 58 { 59 struct ip6_hdr ip6; 60 const size_t ip6_hdr_len = sizeof(ip6); 61 size_t cmn_hdr_off; 62 size_t off; 63 int i; 64 65 memset(&ip6, 0, sizeof(ip6)); 66 ip6.ip6_flow = htonl(6 << 28 | 2 << 20); 67 ip6.ip6_hops = 64; 68 ip6.ip6_nxt = IPPROTO_SCTP; 69 ip6.ip6_src.s6_addr[15] = 1; 70 ip6.ip6_dst.s6_addr[15] = 1; 71 rmt.sin6_family = AF_INET6; 72 rmt.sin6_addr = in6addr_loopback; 73 74 /* SCTP common header */ 75 off = ip6_hdr_len; 76 77 uint16_t src_port = htons(port - 1); 78 uint16_t dst_port = htons(port); 79 uint32_t vtag = 0; 80 uint32_t checksum = 0; 81 82 update_packet_field(&off, &src_port, 2); 83 update_packet_field(&off, &dst_port, 2); 84 update_packet_field(&off, &vtag, 4); 85 update_packet_field(&off, &checksum, 4); 86 cmn_hdr_off = off; 87 88 /* SCTP INIT chunk */ 89 uint16_t chunk_len; 90 91 packet[off++] = 1; 92 packet[off++] = 0; 93 off += 2; /* chunk length, will be set in the end */ 94 95 uint32_t init_tag = rand(); 96 uint32_t rwnd = htonl(106496); 97 uint16_t outs = htons(10); 98 uint16_t ins = htons(65535); 99 uint32_t init_tsn = rand(); 100 101 update_packet_field(&off, &init_tag, 4); 102 update_packet_field(&off, &rwnd, 4); 103 update_packet_field(&off, &outs, 2); 104 update_packet_field(&off, &ins, 2); 105 update_packet_field(&off, &init_tsn, 4); 106 107 /* SCTP optional parameter for IPv6 addresses */ 108 uint16_t param_type = htons(6); 109 uint16_t param_len = htons(20); 110 111 /* IPv6(40) + SCTP_COMMON(12) + SCTP_CHUNK(20) + SCTP_OPT(65460)) */ 112 for (i = 0; i < addr_num; ++i) { 113 update_packet_field(&off, ¶m_type, 2); 114 update_packet_field(&off, ¶m_len, 2); 115 packet[off + 15] = 1; 116 off += 16; 117 } 118 pkt_len = off; 119 120 tst_res(TINFO, "set chunk length %zu", pkt_len - cmn_hdr_off); 121 chunk_len = htons(pkt_len - cmn_hdr_off); 122 memcpy(packet + cmn_hdr_off + 2, &chunk_len, 2); 123 124 /* set checksum for SCTP: common header + INIT chunk */ 125 uint32_t csum = tst_crc32c(packet + ip6_hdr_len, pkt_len - ip6_hdr_len); 126 127 memcpy(packet + ip6_hdr_len + 8, &csum, 4); 128 129 ip6.ip6_plen = htons(pkt_len - ip6_hdr_len); 130 memcpy(packet, &ip6, ip6_hdr_len); 131 132 cfd = SAFE_SOCKET(AF_INET6, SOCK_RAW, IPPROTO_RAW); 133 } 134 135 static const char mtu_path[] = "/sys/class/net/lo/mtu"; 136 static const unsigned int max_mtu = 65535; 137 static unsigned int mtu; 138 139 static void setup(void) 140 { 141 if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX)) 142 tst_brk(TBROK, "wrong address number '%s'", addr_param); 143 144 /* We don't fragment IPv6 packet here yet, check that MTU is 65535 */ 145 SAFE_FILE_SCANF(mtu_path, "%d", &mtu); 146 if (mtu < max_mtu) 147 tst_brk(TCONF, "Test needs that 'lo' MTU has %d", max_mtu); 148 149 setup_server(); 150 setup_client(); 151 } 152 153 static void run(void) 154 { 155 int pid = SAFE_FORK(); 156 157 if (!pid) { 158 struct sockaddr_in6 addr6; 159 socklen_t addr_size = sizeof(addr6); 160 161 if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0) 162 tst_brk(TBROK | TERRNO, "accept() failed"); 163 exit(0); 164 } 165 166 SAFE_SENDTO(1, cfd, packet, pkt_len, 0, (struct sockaddr *)&rmt, 167 sizeof(rmt)); 168 169 SAFE_KILL(pid, SIGKILL); 170 SAFE_WAITPID(pid, NULL, 0); 171 172 tst_res(TPASS, "test doesn't cause crash"); 173 } 174 175 static struct tst_option options[] = { 176 {"a:", &addr_param, "-a number of additional IP address params"}, 177 {NULL, NULL, NULL} 178 }; 179 180 static struct tst_test test = { 181 .needs_root = 1, 182 .setup = setup, 183 .forks_child = 1, 184 .test_all = run, 185 .options = options 186 }; 187