Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 70fc69bc authored by Lee A. Roberts's avatar Lee A. Roberts Committed by David S. Miller
Browse files

sctp: fix association hangs due to off-by-one errors in sctp_tsnmap_grow() 



In sctp_tsnmap_mark(), correct off-by-one error when calculating
size value for sctp_tsnmap_grow().

In sctp_tsnmap_grow(), correct off-by-one error when copying
and resizing the tsnmap.  If max_tsn_seen is in the LSB of the
word, this bit can be lost, causing the corresponding packet
to be transmitted again and to be entered as a duplicate into
the SCTP reassembly/ordering queues.  Change parameter name
from "gap" (zero-based index) to "size" (one-based) to enhance
code readability.

Signed-off-by: default avatarLee A. Roberts <lee.roberts@hp.com>
Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
parent 726bc6b0

net/sctp/tsnmap.c

+7 −6
Original line number Diff line number Diff line
@@ -51,7 +51,7 @@ 
static void sctp_tsnmap_update(struct sctp_tsnmap *map);

static void sctp_tsnmap_find_gap_ack(unsigned long *map, __u16 off,

				     __u16 len, __u16 *start, __u16 *end);

static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 gap);

static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 size);



/* Initialize a block of memory as a tsnmap.  */

struct sctp_tsnmap *sctp_tsnmap_init(struct sctp_tsnmap *map, __u16 len,
@@ -124,7 +124,7 @@ int sctp_tsnmap_mark(struct sctp_tsnmap *map, __u32 tsn, 


	gap = tsn - map->base_tsn;



	if (gap >= map->len && !sctp_tsnmap_grow(map, gap))

	if (gap >= map->len && !sctp_tsnmap_grow(map, gap + 1))

		return -ENOMEM;



	if (!sctp_tsnmap_has_gap(map) && gap == 0) {
@@ -360,23 +360,24 @@ __u16 sctp_tsnmap_num_gabs(struct sctp_tsnmap *map, 
	return ngaps;

}



static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 gap)

static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 size)

{

	unsigned long *new;

	unsigned long inc;

	u16  len;



	if (gap >= SCTP_TSN_MAP_SIZE)

	if (size > SCTP_TSN_MAP_SIZE)

		return 0;



	inc = ALIGN((gap - map->len),BITS_PER_LONG) + SCTP_TSN_MAP_INCREMENT;

	inc = ALIGN((size - map->len), BITS_PER_LONG) + SCTP_TSN_MAP_INCREMENT;

	len = min_t(u16, map->len + inc, SCTP_TSN_MAP_SIZE);



	new = kzalloc(len>>3, GFP_ATOMIC);

	if (!new)

		return 0;



	bitmap_copy(new, map->tsn_map, map->max_tsn_seen - map->base_tsn);

	bitmap_copy(new, map->tsn_map,

		map->max_tsn_seen - map->cumulative_tsn_ack_point);

	kfree(map->tsn_map);

	map->tsn_map = new;

	map->len = len;