Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 35452319 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman
Browse files

Revert "netfilter: conntrack: allow sctp hearbeat after connection re-use" 



This reverts commit 59d2b1e5 which is
commit cc5453a5b7e90c39f713091a7ebc53c1f87d1700 upstream.

It causes ABI breakages and isn't really needed in this tree at this
point in time.

Bug: 161946584
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
Change-Id: I05666ad53306b0cfb83e0bac9799e87455c5e16c
parent 22cb1b9c

include/linux/netfilter/nf_conntrack_sctp.h

+0 −2
Original line number Diff line number Diff line
@@ -9,8 +9,6 @@ struct ip_ct_sctp { 
	enum sctp_conntrack state;



	__be32 vtag[IP_CT_DIR_MAX];

	u8 last_dir;

	u8 flags;

};



#endif /* _NF_CONNTRACK_SCTP_H */

net/netfilter/nf_conntrack_proto_sctp.c

+4 −35
Original line number Diff line number Diff line
@@ -62,8 +62,6 @@ static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = { 
	[SCTP_CONNTRACK_HEARTBEAT_ACKED]	= 210 SECS,

};



#define	SCTP_FLAG_HEARTBEAT_VTAG_FAILED	1



#define sNO SCTP_CONNTRACK_NONE

#define	sCL SCTP_CONNTRACK_CLOSED

#define	sCW SCTP_CONNTRACK_COOKIE_WAIT
@@ -371,7 +369,6 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, 
	u_int32_t offset, count;

	unsigned int *timeouts;

	unsigned long map[256 / sizeof(unsigned long)] = { 0 };

	bool ignore = false;



	if (sctp_error(skb, dataoff, state))

		return -NF_ACCEPT;
@@ -430,39 +427,15 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, 
			/* Sec 8.5.1 (D) */

			if (sh->vtag != ct->proto.sctp.vtag[dir])

				goto out_unlock;

		} else if (sch->type == SCTP_CID_HEARTBEAT) {

			if (ct->proto.sctp.vtag[dir] == 0) {

				pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);

				ct->proto.sctp.vtag[dir] = sh->vtag;

			} else if (sh->vtag != ct->proto.sctp.vtag[dir]) {

				if (test_bit(SCTP_CID_DATA, map) || ignore)

					goto out_unlock;



				ct->proto.sctp.flags |= SCTP_FLAG_HEARTBEAT_VTAG_FAILED;

				ct->proto.sctp.last_dir = dir;

				ignore = true;

				continue;

			} else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {

				ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;

			}

		} else if (sch->type == SCTP_CID_HEARTBEAT_ACK) {

		} else if (sch->type == SCTP_CID_HEARTBEAT ||

			   sch->type == SCTP_CID_HEARTBEAT_ACK) {

			if (ct->proto.sctp.vtag[dir] == 0) {

				pr_debug("Setting vtag %x for dir %d\n",

					 sh->vtag, dir);

				ct->proto.sctp.vtag[dir] = sh->vtag;

			} else if (sh->vtag != ct->proto.sctp.vtag[dir]) {

				if (test_bit(SCTP_CID_DATA, map) || ignore)

					goto out_unlock;



				if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 ||

				    ct->proto.sctp.last_dir == dir)

				pr_debug("Verification tag check failed\n");

				goto out_unlock;



				ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;

				ct->proto.sctp.vtag[dir] = sh->vtag;

				ct->proto.sctp.vtag[!dir] = 0;

			} else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {

				ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;

			}

		}
@@ -497,10 +470,6 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, 
	}

	spin_unlock_bh(&ct->lock);



	/* allow but do not refresh timeout */

	if (ignore)

		return NF_ACCEPT;



	timeouts = nf_ct_timeout_lookup(ct);

	if (!timeouts)

		timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;