Commit 405426f6 authored Jun 14, 2013 by Daniel Borkmann Committed by David S. Miller Jun 14, 2013

net: sctp: sctp_sf_do_prm_asoc: do SCTP_CMD_INIT_CHOOSE_TRANSPORT first

While this currently cannot trigger any NULL pointer dereference in
sctp_seq_dump_local_addrs(), better change the order of commands to
prevent a future bug to happen. Although we first add SCTP_CMD_NEW_ASOC
and then set the SCTP_CMD_INIT_CHOOSE_TRANSPORT, it is okay for now,
since this primitive is only called by sctp_connect() or sctp_sendmsg()
with sctp_assoc_add_peer() set first. However, lets do this precaution
and first set the transport and then add it to the association hashlist
to prevent in future something to possibly triggering this.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent f9e42b85

net/sctp/sm_statefuns.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -4632,16 +4632,16 @@ sctp_disposition_t sctp_sf_do_prm_asoc(struct net *net,
		if (!repl)
		goto nomem;

		/* Choose transport for INIT. */
		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
		SCTP_CHUNK(repl));

		/* Cast away the const modifier, as we want to just
		* rerun it through as a sideffect.
		*/
		my_asoc = (struct sctp_association *)asoc;
		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc));

		/* Choose transport for INIT. */
		sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT,
		SCTP_CHUNK(repl));

		/* After sending the INIT, "A" starts the T1-init timer and
		* enters the COOKIE-WAIT state.
		*/