From: Wei Yongjun <yjwei@cn.fujitsu.com>
To: David Miller <davem@davemloft.net>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
lksctp <linux-sctp@vger.kernel.org>
Subject: [PATCH net-next-2.6 2/9] sctp: check invalid value of length parameter in error cause
Date: Wed, 20 Apr 2011 15:26:26 +0800 [thread overview]
Message-ID: <4DAE8AA2.10504@cn.fujitsu.com> (raw)
In-Reply-To: <4DAE8A27.3040007@cn.fujitsu.com>
From: Shan Wei <shanwei@cn.fujitsu.com>
RFC4960, section 3.3.7 said:
If an endpoint receives an ABORT with a format error or no TCB is
found, it MUST silently discard it.
When an endpoint receives ABORT that parameter value is invalid,
drop it.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
---
net/sctp/sm_statefuns.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index fe2036d..194d5ec 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2412,8 +2412,15 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
/* See if we have an error cause code in the chunk. */
len = ntohs(chunk->chunk_hdr->length);
- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+
+ sctp_errhdr_t *err;
+ sctp_walk_errors(err, chunk->chunk_hdr);
+ if ((void *)err != (void *)chunk->chunk_end)
+ return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+
error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
+ }
sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
/* ASSOC_FAILED will DELETE_TCB. */
--
1.6.5.2
next prev parent reply other threads:[~2011-04-20 7:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-20 7:24 [PATCH net-next-2.6 0/9] SCTP updates for net-next-2.6 Wei Yongjun
2011-04-20 7:25 ` [PATCH net-next-2.6 1/9] sctp: check parameter value of length in ERROR chunk Wei Yongjun
2011-04-20 7:26 ` Wei Yongjun [this message]
2011-04-20 7:27 ` [PATCH net-next-2.6 3/9] sctp: remove redundant check when walking through a list of TLV parameters Wei Yongjun
2011-04-20 7:28 ` [PATCH net-next-2.6 4/9] sctp: remove completely unsed EMPTY state Wei Yongjun
2011-04-20 7:29 ` [PATCH net-next-2.6 5/9] sctp: bail from sctp_endpoint_lookup_assoc() if not bound Wei Yongjun
2011-04-20 7:30 ` [PATCH net-next-2.6 6/9] sctp: handle ootb packet in chunk order as defined Wei Yongjun
2011-04-20 7:30 ` [PATCH net-next-2.6 7/9] sctp: fix to check the source address of COOKIE-ECHO chunk Wei Yongjun
2011-04-20 7:31 ` [PATCH net-next-2.6 8/9] sctp: make heartbeat information in sctp_make_heartbeat() Wei Yongjun
2011-04-20 7:32 ` [PATCH net-next-2.6 9/9] sctp: move chunk from retransmit queue to abandoned list Wei Yongjun
2011-04-20 8:55 ` [PATCH net-next-2.6 0/9] SCTP updates for net-next-2.6 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DAE8AA2.10504@cn.fujitsu.com \
--to=yjwei@cn.fujitsu.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).