Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 86044244 authored by Xin Long's avatar Xin Long Committed by Greg Kroah-Hartman
Browse files

sctp: fix the processing for COOKIE_ECHO chunk 



[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ]

1. In closed state: in sctp_sf_do_5_1D_ce():

  When asoc is NULL, making packet for abort will use chunk's vtag
  in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
  should be verified before using peer.i.init_tag to make packet
  for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
  not correct.

2. In the other states: in sctp_sf_do_5_2_4_dupcook():

  asoc always exists, but duplicate cookie_echo's vtag will be
  handled by sctp_tietags_compare() and then take actions, so before
  that we only verify the vtag for the abort sent for invalid chunk
  length.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 1f52dfac

net/sctp/sm_statefuns.c

+10 −4
Original line number Diff line number Diff line
@@ -712,6 +712,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 
	struct sock *sk;

	int error = 0;



	if (asoc && !sctp_vtag_verify(chunk, asoc))

		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);



	/* If the packet is an OOTB packet which is temporarily on the

	 * control endpoint, respond with an ABORT.

	 */
@@ -726,7 +729,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, 
	 * in sctp_unpack_cookie().

	 */

	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))

		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

						  commands);



	/* If the endpoint is not listening or if the number of associations

	 * on the TCP-style socket exceed the max backlog, respond with an
@@ -2156,9 +2160,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( 
	 * enough for the chunk header.  Cookie length verification is

	 * done later.

	 */

	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))

		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

						  commands);

	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {

		if (!sctp_vtag_verify(chunk, asoc))

			asoc = NULL;

		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);

	}



	/* "Decode" the chunk.  We have no optional parameters so we

	 * are in good shape.