From: Wei Yongjun <yjwei@cn.fujitsu.com>
To: linux-sctp@vger.kernel.org
Subject: Re: [PATCH] sctp: Fix kernel panic while process protocol violation
Date: Tue, 09 Sep 2008 00:48:14 +0000 [thread overview]
Message-ID: <48C5C7CE.6040709@cn.fujitsu.com> (raw)
In-Reply-To: <48C47CBC.3000405@cn.fujitsu.com>
Vlad Yasevich wrote:
> Wei Yongjun wrote:
>
>> Since call to function sctp_sf_abort_violation() need paramter 'arg' with
>> 'struct sctp_chunk' type, it will read the chunk type and chunk length from
>> the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen()
>> always with 'struct sctp_paramhdr' type's parameter, it will be passed to
>> sctp_sf_abort_violation(). This may cause kernel panic.
>>
>> sctp_sf_violation_paramlen()
>> |-- sctp_sf_abort_violation()
>> |-- sctp_make_abort_violation()
>>
>> This patch fixed this problem by add a new paramter 'struct sctp_paramhdr'
>> to sctp_make_abort_violation(), if param is not NULL, encode phdr with
>> param,
>> if param is NULL, encode phdr with chunk.
>>
>> This patch also fix two place which called sctp_sf_violation_paramlen()
>> with
>> wrong paramter type.
>>
>
> GAK!!! Thanks for finding this.
>
> I am not sure I am very happy this approach though...
>
> sctp_sf_violation_paramlen() is only used in processing of ascof/asconf_ack,
> so changing generic ABORT generation to track another argument is not the
> cleanest solution...
>
> In addition, we also have sctp_process_inv_paramlength() which is almost
> the same thing as sctp_sf_violation_paramlen(). So, I think it would
> be a good idea to have this code cleaned up and merged into a single
> function that can be called from both palaces.
>
> Part of the problem is that INIT processing expects an error chunk instead
> of the abort. However, it's being rather dense in that regard and should
> be taught how to handle both.
>
> Once that happens, sctp_process_inv_paramlength() can start returning
> an ABORT chunk back just like sctp_sf_violation_paramlen(). An once
> that happens, we can call this one function from everywhere.
>
I'll have a try, thanks.
Wei Yongjun
next prev parent reply other threads:[~2008-09-09 0:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-08 1:15 [PATCH] sctp: Fix kernel panic while process protocol violation parameter Wei Yongjun
2008-09-08 15:03 ` [PATCH] sctp: Fix kernel panic while process protocol violation Vlad Yasevich
2008-09-09 0:48 ` Wei Yongjun [this message]
2008-09-19 9:34 ` Wei Yongjun
2008-09-19 20:14 ` Vlad Yasevich
2008-09-25 21:14 ` [PATCH] sctp: Fix kernel panic while process protocol violation parameter Vlad Yasevich
2008-09-30 12:33 ` [PATCH] sctp: Fix kernel panic while process protocol David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C5C7CE.6040709@cn.fujitsu.com \
--to=yjwei@cn.fujitsu.com \
--cc=linux-sctp@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.