msg_flags of sctp_rcvmsg () behave differently in redhat rel5 and redhat rel6

LearningGeek · 08-08-2014, 10:06 AM

Hello Guys,

I am developing a software in which I am using redhat sctp library. I find this strange behavior between sctp_recvmsg in redhat rel5 and redhat rel6. I am capturing the syntax to make my query clear.

int sctp_recvmsg(int sd, void * msg, size_t len, struct sockaddr * from, socklen_t * fromlen, struct sctp_sndrcvinfo * sinfo, int * msg_flags);

The last option msg_flags worked fine when I declare it as int in rel 5. But in rel6 when i declare it as int my
my poll() loops for odd 1272 times and then stops. This loop number is fixed.
I changed msg_flags from int to long and it worked fine.

If any one knows the reason for this, please let me know.

zer0python · 08-09-2014, 12:09 PM

It appears redhat's sctp library is lkscpt. The implementation of sctp_recvmsg() is here

Looking at the implemented code, I see no reason why a switch from int* to long* would work. (unless maybe there's a weird 32bit<->64bit thing going on.)
without more code to go on, I'm not sure if I'll (or anyone) will be able to help much. 1272 seems like a fairly "random" number, but I'm sure has some kind of meaning within the context of your code.

zer0python · 08-09-2014, 12:24 PM

Doing a little more research, I came across this; Which talks about a potential local DoS from an "infected" CMSG. The patch supplied appears to, instead of looping CMSG's, get only one of them. I'm not really sure if this patch may be what broke your thing.

The patch is as follows (note the text at the top, particularly about multiple CMSG's):

Code:

This patch fixes hemlock by disallowing the condition that creates the poisoned
buffer in the first place.  This is likely to break some esoteric ipv4 apps which
depend on having multiple CMSG entries, but as there are only two sendable CMSG for
IPv4, I really doubt it.

--- linux-2.6.32-358.11.1.el6.x86_64.orig/net/ipv4/ip_sockglue.c	2013-05-15 08:33:03.000000000 -0400
+++ linux-2.6.32-358.11.1.el6.x86_64/net/ipv4/ip_sockglue.c	2013-06-30 05:19:43.000000000 -0400
@@ -196,7 +196,8 @@
 	int err;
 	struct cmsghdr *cmsg;
 
-	for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+	cmsg = CMSG_FIRSTHDR(msg);
+	{
 		if (!CMSG_OK(msg, cmsg))
 			return -EINVAL;
 		if (cmsg->cmsg_level != SOL_IP)

Again, this is just a shot in the dark, hope it's helpful.
See CVE-2013-2224 for more details on the noted exploit.