[PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Gui Jianfeng]

Hi Vlad,
When kernel receives a INIT ACK which has an invalid length, it replies a 0 VerificationTag ABORT.
This violates sctp protocol apparently, and doesn't comply to RFC requirement. VerificationTag 
is allowed to set to 0 only in INIT Chunk packet.
We need to record the VerificationTag from INIT ACK before sending out the ABORT Chunk.

Here is a patch for fixing this bug.

Signed-off-by: Guijianfeng <guijianfeng@cn.fujitsu.com>
---
 include/net/sctp/command.h |    1 +
 net/sctp/sm_sideeffect.c   |    5 ++++-
 net/sctp/sm_statefuns.c    |    9 +++++++++
 3 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/include/net/sctp/command.h b/include/net/sctp/command.h
index 10ae2da..35b1e83 100644
--- a/include/net/sctp/command.h
+++ b/include/net/sctp/command.h
@@ -104,6 +104,7 @@ typedef enum {
 	SCTP_CMD_ADAPTATION_IND, /* generate and send adaptation event */
 	SCTP_CMD_ASSOC_SHKEY,    /* generate the association shared keys */
 	SCTP_CMD_T1_RETRAN,	 /* Mark for retransmission after T1 timeout  */
+	SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
 	SCTP_CMD_LAST
 } sctp_verb_t;
 
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 28eb38e..2dbc7bd 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1536,7 +1536,10 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
 			error = sctp_auth_asoc_init_active_key(asoc,
 						GFP_ATOMIC);
 			break;
-
+		case SCTP_CMD_UPDATE_INITTAG:
+			asoc->peer.i.init_tag = cmd->obj.u32;
+			break;
+			
 		default:
 			printk(KERN_WARNING "Impossible command: %u, %p\n",
 			       cmd->verb, cmd->obj.ptr);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index f2ed647..1bc2c49 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4144,6 +4144,15 @@ static sctp_disposition_t sctp_sf_abort_violation(
 		goto nomem;
 
 	if (asoc) {
+		/* Treat INIT-ACK as a special case. */
+		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK) {
+			sctp_initack_chunk_t *initack;
+
+			initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
+			sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
+					SCTP_U32(ntohl(initack->init_hdr.init_tag)));
+		}
+
 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
 		SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 
-- 
1.5.3

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Wei Yongjun]

NACK.

If the INIT-ACK chunk is too short to contain the init-tag, get the 
init-tag of peer may get a unexpected value.
Such as this:
  CHUNK_INIT_ACK
   Type                             = 2
   Flags                            = 0
   Length                           = 4

So I think the better way is to set T bit of ABORT chunk and used the 
own's Tag.

Regards.
Wei Yongjun

Gui Jianfeng wrote:
> Hi Vlad,
> When kernel receives a INIT ACK which has an invalid length, it replies a 0 VerificationTag ABORT.
> This violates sctp protocol apparently, and doesn't comply to RFC requirement. VerificationTag 
> is allowed to set to 0 only in INIT Chunk packet.
> We need to record the VerificationTag from INIT ACK before sending out the ABORT Chunk.
>
> Here is a patch for fixing this bug.
>
> Signed-off-by: Guijianfeng <guijianfeng@cn.fujitsu.com>
> ---
>  include/net/sctp/command.h |    1 +
>  net/sctp/sm_sideeffect.c   |    5 ++++-
>  net/sctp/sm_statefuns.c    |    9 +++++++++
>  3 files changed, 14 insertions(+), 1 deletions(-)
>
> diff --git a/include/net/sctp/command.h b/include/net/sctp/command.h
> index 10ae2da..35b1e83 100644
> --- a/include/net/sctp/command.h
> +++ b/include/net/sctp/command.h
> @@ -104,6 +104,7 @@ typedef enum {
>  	SCTP_CMD_ADAPTATION_IND, /* generate and send adaptation event */
>  	SCTP_CMD_ASSOC_SHKEY,    /* generate the association shared keys */
>  	SCTP_CMD_T1_RETRAN,	 /* Mark for retransmission after T1 timeout  */
> +	SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
>  	SCTP_CMD_LAST
>  } sctp_verb_t;
>  
> diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
> index 28eb38e..2dbc7bd 100644
> --- a/net/sctp/sm_sideeffect.c
> +++ b/net/sctp/sm_sideeffect.c
> @@ -1536,7 +1536,10 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
>  			error = sctp_auth_asoc_init_active_key(asoc,
>  						GFP_ATOMIC);
>  			break;
> -
> +		case SCTP_CMD_UPDATE_INITTAG:
> +			asoc->peer.i.init_tag = cmd->obj.u32;
> +			break;
> +			
>  		default:
>  			printk(KERN_WARNING "Impossible command: %u, %p\n",
>  			       cmd->verb, cmd->obj.ptr);
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index f2ed647..1bc2c49 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -4144,6 +4144,15 @@ static sctp_disposition_t sctp_sf_abort_violation(
>  		goto nomem;
>  
>  	if (asoc) {
> +		/* Treat INIT-ACK as a special case. */
> +		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK) {
> +			sctp_initack_chunk_t *initack;
> +
> +			initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
> +			sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
> +					SCTP_U32(ntohl(initack->init_hdr.init_tag)));
> +		}
> +
>  		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
>  		SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
>   

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Gui Jianfeng]

Wei Yongjun wrote:
> NACK.
> 
> If the INIT-ACK chunk is too short to contain the init-tag, get the
> init-tag of peer may get a unexpected value.
> Such as this:
>  CHUNK_INIT_ACK
>   Type                             = 2
>   Flags                            = 0
>   Length                           = 4
> 
> So I think the better way is to set T bit of ABORT chunk and used the
> own's Tag.

  Seems reasonable. Please ignore the previous one, here is a new patch.

Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
---
 net/sctp/outqueue.c     |    3 +++
 net/sctp/sm_statefuns.c |    5 +++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 1bb3c5c..c071446 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
 			break;
 
 		case SCTP_CID_ABORT:
+			if (sctp_test_T_bit(chunk)) {
+				packet->vtag = asoc->c.my_vtag;
+			}
 		case SCTP_CID_SACK:
 		case SCTP_CID_HEARTBEAT:
 		case SCTP_CID_HEARTBEAT_ACK:
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index f2ed647..85e1d63 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4144,6 +4144,11 @@ static sctp_disposition_t sctp_sf_abort_violation(
 		goto nomem;
 
 	if (asoc) {
+		/* Treat INIT-ACK as a special case. */
+		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK) {
+			abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
+		}
+
 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
 		SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 
-- 
1.5.3


-- 
Regards
Gui Jianfeng

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Wei Yongjun]

Hi Gui:

I looked the source code and found that only in the state *COOKIE_WAIT* 
received INIT-ACK need to do this, not all of the states. The other 
states we should have known the init-tag of peer.

Gui Jianfeng wrote:
> Wei Yongjun wrote:
>   
>> NACK.
>>
>> If the INIT-ACK chunk is too short to contain the init-tag, get the
>> init-tag of peer may get a unexpected value.
>> Such as this:
>>  CHUNK_INIT_ACK
>>   Type                             = 2
>>   Flags                            = 0
>>   Length                           = 4
>>
>> So I think the better way is to set T bit of ABORT chunk and used the
>> own's Tag.
>>     
>
>   Seems reasonable. Please ignore the previous one, here is a new patch.
>
> Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
> ---
>  net/sctp/outqueue.c     |    3 +++
>  net/sctp/sm_statefuns.c |    5 +++++
>  2 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
> index 1bb3c5c..c071446 100644
> --- a/net/sctp/outqueue.c
> +++ b/net/sctp/outqueue.c
> @@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
>  			break;
>  
>  		case SCTP_CID_ABORT:
> +			if (sctp_test_T_bit(chunk)) {
> +				packet->vtag = asoc->c.my_vtag;
> +			}
>  		case SCTP_CID_SACK:
>  		case SCTP_CID_HEARTBEAT:
>  		case SCTP_CID_HEARTBEAT_ACK:
>   

> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index f2ed647..85e1d63 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -4144,6 +4144,11 @@ static sctp_disposition_t sctp_sf_abort_violation(
>  		goto nomem;
>  
>  	if (asoc) {
> +		/* Treat INIT-ACK as a special case. */
> +		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK) {
> +			abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
> +		}
> +
>  		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
>  		SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
>  
>   
Those code should be move to sctp_make_abort 
<../cgi-bin/global.cgi?pattern=sctp_make_abort&type=reference>() for 
common using. And may be need check whether we need the T flags.

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Gui Jianfeng]

Wei Yongjun wrote:
> Hi Gui:
> 
> I looked the source code and found that only in the state *COOKIE_WAIT*
> received INIT-ACK need to do this, not all of the states. The other
> states we should have known the init-tag of peer.
  yes, it's the only possibility.

> 
> Gui Jianfeng wrote:
>> Wei Yongjun wrote:
>>  
>>> NACK.
>>>
>>> If the INIT-ACK chunk is too short to contain the init-tag, get the
>>> init-tag of peer may get a unexpected value.
>>> Such as this:
>>>  CHUNK_INIT_ACK
>>>   Type                             = 2
>>>   Flags                            = 0
>>>   Length                           = 4
>>>
>>> So I think the better way is to set T bit of ABORT chunk and used the
>>> own's Tag.
>>>     
>>
>>   Seems reasonable. Please ignore the previous one, here is a new patch.
>>
>> Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
>> ---
>>  net/sctp/outqueue.c     |    3 +++
>>  net/sctp/sm_statefuns.c |    5 +++++
>>  2 files changed, 8 insertions(+), 0 deletions(-)
>>
>> diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
>> index 1bb3c5c..c071446 100644
>> --- a/net/sctp/outqueue.c
>> +++ b/net/sctp/outqueue.c
>> @@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int
>> rtx_timeout)
>>              break;
>>  
>>          case SCTP_CID_ABORT:
>> +            if (sctp_test_T_bit(chunk)) {
>> +                packet->vtag = asoc->c.my_vtag;
>> +            }
>>          case SCTP_CID_SACK:
>>          case SCTP_CID_HEARTBEAT:
>>          case SCTP_CID_HEARTBEAT_ACK:
>>   
> 
>> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
>> index f2ed647..85e1d63 100644
>> --- a/net/sctp/sm_statefuns.c
>> +++ b/net/sctp/sm_statefuns.c
>> @@ -4144,6 +4144,11 @@ static sctp_disposition_t sctp_sf_abort_violation(
>>          goto nomem;
>>  
>>      if (asoc) {
>> +        /* Treat INIT-ACK as a special case. */
>> +        if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK) {
>> +            abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
>> +        }
>> +
>>          sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
>>          SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
>>  
>>   
> Those code should be move to sctp_make_abort() for
> common using. And may be need check whether we need the T flags.
  This rarely happens, so i think it's sufficient to place this block of code here.
  Moving it into sctp_make_abort() will waste much cpu time when generating each abort chunk .

> 
> 
> 
> 

-- 
Regards
Gui Jianfeng

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Vlad Yasevich]

Gui Jianfeng wrote:
> Wei Yongjun wrote:
>> Hi Gui:
>>
>> I looked the source code and found that only in the state *COOKIE_WAIT*
>> received INIT-ACK need to do this, not all of the states. The other
>> states we should have known the init-tag of peer.
>   yes, it's the only possibility.
> 
>> Gui Jianfeng wrote:
>>> Wei Yongjun wrote:
>>>  
>>>> NACK.
>>>>
>>>> If the INIT-ACK chunk is too short to contain the init-tag, get the
>>>> init-tag of peer may get a unexpected value.
>>>> Such as this:
>>>>  CHUNK_INIT_ACK
>>>>   Type                             = 2
>>>>   Flags                            = 0
>>>>   Length                           = 4
>>>>
>>>> So I think the better way is to set T bit of ABORT chunk and used the
>>>> own's Tag.
>>>>     
>>>   Seems reasonable. Please ignore the previous one, here is a new patch.
>>>
>>> Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
>>> ---
>>>  net/sctp/outqueue.c     |    3 +++
>>>  net/sctp/sm_statefuns.c |    5 +++++
>>>  2 files changed, 8 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
>>> index 1bb3c5c..c071446 100644
>>> --- a/net/sctp/outqueue.c
>>> +++ b/net/sctp/outqueue.c
>>> @@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int
>>> rtx_timeout)
>>>              break;
>>>  
>>>          case SCTP_CID_ABORT:
>>> +            if (sctp_test_T_bit(chunk)) {
>>> +                packet->vtag = asoc->c.my_vtag;
>>> +            }
>>>          case SCTP_CID_SACK:
>>>          case SCTP_CID_HEARTBEAT:
>>>          case SCTP_CID_HEARTBEAT_ACK:
>>>   
>>> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
>>> index f2ed647..85e1d63 100644
>>> --- a/net/sctp/sm_statefuns.c
>>> +++ b/net/sctp/sm_statefuns.c
>>> @@ -4144,6 +4144,11 @@ static sctp_disposition_t sctp_sf_abort_violation(
>>>          goto nomem;
>>>  
>>>      if (asoc) {
>>> +        /* Treat INIT-ACK as a special case. */
>>> +        if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK) {
>>> +            abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
>>> +        }
>>> +
>>>          sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
>>>          SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
>>>  
>>>   
>> Those code should be move to sctp_make_abort() for
>> common using. And may be need check whether we need the T flags.
>   This rarely happens, so i think it's sufficient to place this block of code here.
>   Moving it into sctp_make_abort() will waste much cpu time when generating each abort chunk .
> 

There is a side-effect to this patch that now we will completely ignore the verification
tag in the INIT-ACK regardless of the violation.

In particular, if the INIT-ACK contains all the fixed parameters but violates structure
in some variable parameters, we'll currently use the Initiate Tag from the INIT-ACK in
the ABORT.   We should not be changing this behavior.

The simple hack is to add some conditional code into the the different violation functions, but
I'd like to see if there is a cleaner way to solve this.

-vlad

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Gui Jianfeng]

Vlad Yasevich wrote:
> There is a side-effect to this patch that now we will completely ignore
> the verification
> tag in the INIT-ACK regardless of the violation.
> 
> In particular, if the INIT-ACK contains all the fixed parameters but
> violates structure
> in some variable parameters, we'll currently use the Initiate Tag from
> the INIT-ACK in
> the ABORT.   We should not be changing this behavior.
> 
> The simple hack is to add some conditional code into the the different
> violation functions, but
> I'd like to see if there is a cleaner way to solve this.
 
Vlad,
  The problem you said has been addressed, this is a new patch. Just treat 
  an INIT-ACK received during COOKIE-WAIT as a special case. this patch will
  not break the normal behavior.

Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
---
 include/net/sctp/command.h |    1 +
 net/sctp/outqueue.c        |    3 +++
 net/sctp/sm_sideeffect.c   |    5 ++++-
 net/sctp/sm_statefuns.c    |   18 ++++++++++++++++++
 4 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/include/net/sctp/command.h b/include/net/sctp/command.h
index 10ae2da..35b1e83 100644
--- a/include/net/sctp/command.h
+++ b/include/net/sctp/command.h
@@ -104,6 +104,7 @@ typedef enum {
 	SCTP_CMD_ADAPTATION_IND, /* generate and send adaptation event */
 	SCTP_CMD_ASSOC_SHKEY,    /* generate the association shared keys */
 	SCTP_CMD_T1_RETRAN,	 /* Mark for retransmission after T1 timeout  */
+	SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
 	SCTP_CMD_LAST
 } sctp_verb_t;
 
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 1bb3c5c..c071446 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
 			break;
 
 		case SCTP_CID_ABORT:
+			if (sctp_test_T_bit(chunk)) {
+				packet->vtag = asoc->c.my_vtag;
+			}
 		case SCTP_CID_SACK:
 		case SCTP_CID_HEARTBEAT:
 		case SCTP_CID_HEARTBEAT_ACK:
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 28eb38e..2dbc7bd 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1536,7 +1536,10 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
 			error = sctp_auth_asoc_init_active_key(asoc,
 						GFP_ATOMIC);
 			break;
-
+		case SCTP_CMD_UPDATE_INITTAG:
+			asoc->peer.i.init_tag = cmd->obj.u32;
+			break;
+			
 		default:
 			printk(KERN_WARNING "Impossible command: %u, %p\n",
 			       cmd->verb, cmd->obj.ptr);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index f2ed647..b3ed52c 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4144,6 +4144,24 @@ static sctp_disposition_t sctp_sf_abort_violation(
 		goto nomem;
 
 	if (asoc) {
+		/* Treat INIT-ACK as a special case during COOKIE-WAIT. */
+		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK 
+		    && !asoc->peer.i.init_tag) {
+			sctp_initack_chunk_t *initack;
+
+			initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
+			if (!sctp_chunk_length_valid(chunk, 
+						     sizeof(sctp_initack_chunk_t)))
+				abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
+			else {
+				unsigned int inittag;
+				
+				inittag = ntohl(initack->init_hdr.init_tag);
+				sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
+						SCTP_U32(inittag));
+			}
+		}
+
 		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
 		SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
 
-- 
1.5.3



-- 
Regards
Gui Jianfeng

Re: [PATCH] SCTP: Fix Protocol violation when receiving a error length INIT ACK

[Vlad Yasevich]

Gui Jianfeng wrote:
> Vlad Yasevich wrote:
>> There is a side-effect to this patch that now we will completely ignore
>> the verification
>> tag in the INIT-ACK regardless of the violation.
>>
>> In particular, if the INIT-ACK contains all the fixed parameters but
>> violates structure
>> in some variable parameters, we'll currently use the Initiate Tag from
>> the INIT-ACK in
>> the ABORT.   We should not be changing this behavior.
>>
>> The simple hack is to add some conditional code into the the different
>> violation functions, but
>> I'd like to see if there is a cleaner way to solve this.
>  
> Vlad,
>   The problem you said has been addressed, this is a new patch. Just treat 
>   an INIT-ACK received during COOKIE-WAIT as a special case. this patch will
>   not break the normal behavior.

Ok.  One minor style thing.

> 
> Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
> ---
>  include/net/sctp/command.h |    1 +
>  net/sctp/outqueue.c        |    3 +++
>  net/sctp/sm_sideeffect.c   |    5 ++++-
>  net/sctp/sm_statefuns.c    |   18 ++++++++++++++++++
>  4 files changed, 26 insertions(+), 1 deletions(-)
> 
> diff --git a/include/net/sctp/command.h b/include/net/sctp/command.h
> index 10ae2da..35b1e83 100644
> --- a/include/net/sctp/command.h
> +++ b/include/net/sctp/command.h
> @@ -104,6 +104,7 @@ typedef enum {
>  	SCTP_CMD_ADAPTATION_IND, /* generate and send adaptation event */
>  	SCTP_CMD_ASSOC_SHKEY,    /* generate the association shared keys */
>  	SCTP_CMD_T1_RETRAN,	 /* Mark for retransmission after T1 timeout  */
> +	SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
>  	SCTP_CMD_LAST
>  } sctp_verb_t;
>  
> diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
> index 1bb3c5c..c071446 100644
> --- a/net/sctp/outqueue.c
> +++ b/net/sctp/outqueue.c
> @@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
>  			break;
>  
>  		case SCTP_CID_ABORT:
> +			if (sctp_test_T_bit(chunk)) {
> +				packet->vtag = asoc->c.my_vtag;
> +			}
>  		case SCTP_CID_SACK:
>  		case SCTP_CID_HEARTBEAT:
>  		case SCTP_CID_HEARTBEAT_ACK:
> diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
> index 28eb38e..2dbc7bd 100644
> --- a/net/sctp/sm_sideeffect.c
> +++ b/net/sctp/sm_sideeffect.c
> @@ -1536,7 +1536,10 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
>  			error = sctp_auth_asoc_init_active_key(asoc,
>  						GFP_ATOMIC);
>  			break;
> -
> +		case SCTP_CMD_UPDATE_INITTAG:
> +			asoc->peer.i.init_tag = cmd->obj.u32;
> +			break;
> +			
>  		default:
>  			printk(KERN_WARNING "Impossible command: %u, %p\n",
>  			       cmd->verb, cmd->obj.ptr);
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index f2ed647..b3ed52c 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -4144,6 +4144,24 @@ static sctp_disposition_t sctp_sf_abort_violation(
>  		goto nomem;
>  
>  	if (asoc) {
> +		/* Treat INIT-ACK as a special case during COOKIE-WAIT. */
> +		if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK 
> +		    && !asoc->peer.i.init_tag) {
                ^^^^^^^^^

The '&&' usually goes at the end of the line.

> +			sctp_initack_chunk_t *initack;
> +
> +			initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
> +			if (!sctp_chunk_length_valid(chunk, 
> +						     sizeof(sctp_initack_chunk_t)))
> +				abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
> +			else {
> +				unsigned int inittag;
> +				
> +				inittag = ntohl(initack->init_hdr.init_tag);
> +				sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
> +						SCTP_U32(inittag));
> +			}
> +		}
> +
>  		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
>  		SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
>  

Can you also resend with a clean patch description.

Thanks
-vlad