From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vlad Yasevich <vladislav.yasevich@hp.com>
Subject: Re: [Lksctp-developers] [PATCH] SCTP: Fix kernel panic while	received
 AUTH chunk with BAD shared key identifier
Date: Fri, 25 Jan 2008 11:46:39 -0500
Message-ID: <479A126F.4010505@hp.com>
References: <4795A960.7000700@cn.fujitsu.com> <20080124121608.GA20633@hmsreliant.think-freely.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Wei Yongjun <yjwei@cn.fujitsu.com>, netdev@vger.kernel.org,
	lksctp-developers@lists.sourceforge.net
To: Neil Horman <nhorman@tuxdriver.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from g1t0029.austin.hp.com ([15.216.28.36]:18845 "EHLO
	g1t0029.austin.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752913AbYAYQql (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 25 Jan 2008 11:46:41 -0500
In-Reply-To: <20080124121608.GA20633@hmsreliant.think-freely.org>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Neil Horman wrote:
> On Tue, Jan 22, 2008 at 05:29:20PM +0900, Wei Yongjun wrote:
>>
>> This patch fix this problem.
>>
>> Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
>>
>> --- a/net/sctp/auth.c	2008-01-21 00:03:25.000000000 -0500
>> +++ b/net/sctp/auth.c	2008-01-21 21:31:47.000000000 -0500
>> @@ -420,15 +420,15 @@ struct sctp_shared_key *sctp_auth_get_sh
>>  				const struct sctp_association *asoc,
>>  				__u16 key_id)
>>  {
>> -	struct sctp_shared_key *key = NULL;
>> +	struct sctp_shared_key *key;
>>  
>>  	/* First search associations set of endpoint pair shared keys */
>>  	key_for_each(key, &asoc->endpoint_shared_keys) {
>>  		if (key->key_id == key_id)
>> -			break;
>> +			return key;
>>  	}
>>  
>> -	return key;
>> +	return NULL;
>>  }
>>  
>>  /*
>>
> 
> FWIW, Ack from me.  The assignment of NULL to key can safely be removed, since
> key_for_each (which is just list_for_each_entry under the covers does an initial
> assignment to key anyway). 
> 
> If the endpoint_shared_keys list is empty, or if the key_id being requested does
> not exist, the function as it currently stands returns the actuall list_head (in
> this case endpoint_shared_keys.  Since that list_head isn't surrounded by an
> actuall data structure, the last iteration through list_for_each_entry will do a
> container_of on key, and we wind up returning a bogus pointer, instead of NULL,
> as we should.  Wei's patch corrects that.
> 
> Regards
> Neil
> 
> Acked-by: Neil Horman <nhorman@tuxdriver.com>
> 

Yep, the patch is correct.

Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>

-vlad