From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-f195.google.com ([209.85.220.195]:38862 "EHLO mail-qk0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933152AbeFGSVv (ORCPT ); Thu, 7 Jun 2018 14:21:51 -0400 Date: Thu, 7 Jun 2018 15:21:47 -0300 From: Marcelo Ricardo Leitner To: Ben Hutchings Cc: Xin Long , Neil Horman , stable@vger.kernel.org, "David S. Miller" , Greg Kroah-Hartman , LKML Subject: Re: [PATCH 4.4 19/92] sctp: delay the authentication for the duplicated cookie-echo chunk Message-ID: <20180607182147.GD31423@localhost.localdomain> References: <20180524093159.286472249@linuxfoundation.org> <20180524093200.931521036@linuxfoundation.org> <1528324307.2289.61.camel@codethink.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1528324307.2289.61.camel@codethink.co.uk> Sender: stable-owner@vger.kernel.org List-ID: On Wed, Jun 06, 2018 at 11:31:47PM +0100, Ben Hutchings wrote: > On Thu, 2018-05-24 at 11:37 +0200, Greg Kroah-Hartman wrote: > > 4.4-stable review patch.��If anyone has any objections, please let me know. > > > > ------------------ > > > > From: Xin Long > > > > [ Upstream commit 59d8d4434f429b4fa8a346fd889058bda427a837 ] > > > > Now sctp only delays the authentication for the normal cookie-echo > > chunk by setting chunk->auth_chunk in sctp_endpoint_bh_rcv(). But > > for the duplicated one with auth, in sctp_assoc_bh_rcv(), it does > > authentication first based on the old asoc, which will definitely > > fail due to the different auth info in the old asoc. > [...] > > --- a/net/sctp/associola.c > > +++ b/net/sctp/associola.c > > @@ -1000,9 +1000,10 @@ static void sctp_assoc_bh_rcv(struct wor > > � struct sctp_endpoint *ep; > > � struct sctp_chunk *chunk; > > � struct sctp_inq *inqueue; > > - int state; > > � sctp_subtype_t subtype; > > + int first_time = 1; /* is this the first time through the loop */ > > � int error = 0; > > + int state; > > � > > � /* The association should be held so we should be safe. */ > > � ep = asoc->ep; > > @@ -1013,6 +1014,30 @@ static void sctp_assoc_bh_rcv(struct wor > > � state = asoc->state; > > � subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type); > > � > > + /* If the first chunk in the packet is AUTH, do special > > + �* processing specified in Section 6.3 of SCTP-AUTH spec > > + �*/ > > + if (first_time && subtype.chunk == SCTP_CID_AUTH) { > > + struct sctp_chunkhdr *next_hdr; > > + > > + next_hdr = sctp_inq_peek(inqueue); > > + if (!next_hdr) > > + goto normal; > > + > > + /* If the next chunk is COOKIE-ECHO, skip the AUTH > > + �* chunk while saving a pointer to it so we can do > > + �* Authentication later (during cookie-echo > > + �* processing). > > + �*/ > > + if (next_hdr->type == SCTP_CID_COOKIE_ECHO) { > > + chunk->auth_chunk = skb_clone(chunk->skb, > > + ������GFP_ATOMIC); > > + chunk->auth = 1; > > Doesn't the first_time flag need to be cleared here (and before the > other continue statement in this loop)? Seems the description is not matching the code closely. As is, first_time is about the first time an AUTH chunk is handled followed by a COOKIE-ECHO chunk (which is what we wanted, in the end), and not strictly enforcing 'first chunk in the packet', as the description says. We should rename this first_time into a chunk counter instead. It may even help with debugging on crashes. Thanks for reviewing this, btw. Marcelo > > Ben. > > > + continue; > > + } > > + } > > + > > +normal: > [...] > > -- > Ben Hutchings, Software Developer � Codethink Ltd > https://www.codethink.co.uk/ Dale House, 35 Dale Street > Manchester, M1 2HF, United Kingdom