Commit dec5c911 authored by Jon Grimm's avatar Jon Grimm

sctp: Various invalid address check fixes. (jgrimm)

1) Need to check inside INIT chunks for addresses, not just
INIT-ACK otherwise we don't recognize restart.
2) The address check logic isn't being excercised early enough
in the restart.  Per the impl-guide it needs to happen as early
as INIT processing in COOKIE-ECHOED state. 
3) Eliminate more uses of deprecated sctpParam_t
parent b06ce00b
...@@ -329,10 +329,10 @@ __u32 sctp_generate_tag(const sctp_endpoint_t *); ...@@ -329,10 +329,10 @@ __u32 sctp_generate_tag(const sctp_endpoint_t *);
__u32 sctp_generate_tsn(const sctp_endpoint_t *); __u32 sctp_generate_tsn(const sctp_endpoint_t *);
/* 4th level prototypes */ /* 4th level prototypes */
void sctp_param2sockaddr(sockaddr_storage_t *addr, const sctpParam_t param, void sctp_param2sockaddr(sockaddr_storage_t *addr, sctp_addr_param_t *,
__u16 port); __u16 port);
int sctp_addr2sockaddr(const sctpParam_t, sockaddr_storage_t *); int sctp_addr2sockaddr(const sctpParam_t, sockaddr_storage_t *);
int sockaddr2sctp_addr(const sockaddr_storage_t *, sctpParam_t); int sockaddr2sctp_addr(const sockaddr_storage_t *, sctp_addr_param_t *);
/* Extern declarations for major data structures. */ /* Extern declarations for major data structures. */
sctp_sm_table_entry_t *sctp_chunk_event_lookup(sctp_cid_t, sctp_state_t); sctp_sm_table_entry_t *sctp_chunk_event_lookup(sctp_cid_t, sctp_state_t);
......
...@@ -378,7 +378,7 @@ typedef union { ...@@ -378,7 +378,7 @@ typedef union {
typedef union { typedef union {
sctp_ipv4addr_param_t v4; sctp_ipv4addr_param_t v4;
sctp_ipv6addr_param_t v6; sctp_ipv6addr_param_t v6;
} sctpIpAddress_t; } sctp_addr_param_t;
/* RFC 2960. Section 3.3.5 Heartbeat. /* RFC 2960. Section 3.3.5 Heartbeat.
* Heartbeat Information: variable length * Heartbeat Information: variable length
......
...@@ -476,13 +476,6 @@ sctp_transport_t *sctp_assoc_add_peer(sctp_association_t *asoc, ...@@ -476,13 +476,6 @@ sctp_transport_t *sctp_assoc_add_peer(sctp_association_t *asoc,
asoc->peer.retran_path = peer; asoc->peer.retran_path = peer;
} }
/* If we do not yet have a primary path, set one. */
if (NULL == asoc->peer.primary_path) {
asoc->peer.primary_path = peer;
asoc->peer.active_path = peer;
asoc->peer.retran_path = peer;
}
if (asoc->peer.active_path == asoc->peer.retran_path) if (asoc->peer.active_path == asoc->peer.retran_path)
asoc->peer.retran_path = peer; asoc->peer.retran_path = peer;
......
...@@ -199,11 +199,10 @@ int sctp_del_bind_addr(sctp_bind_addr_t *bp, sockaddr_storage_t *del_addr) ...@@ -199,11 +199,10 @@ int sctp_del_bind_addr(sctp_bind_addr_t *bp, sockaddr_storage_t *del_addr)
sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len, sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len,
int priority) int priority)
{ {
sctpParam_t rawaddr;
sctpParam_t addrparms; sctpParam_t addrparms;
sctpParam_t retval; sctpParam_t retval;
int addrparms_len; int addrparms_len;
sctpIpAddress_t rawaddr_space; sctp_addr_param_t rawaddr;
int len; int len;
struct sockaddr_storage_list *addr; struct sockaddr_storage_list *addr;
struct list_head *pos; struct list_head *pos;
...@@ -214,7 +213,7 @@ sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len, ...@@ -214,7 +213,7 @@ sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len,
/* Allocate enough memory at once. */ /* Allocate enough memory at once. */
list_for_each(pos, &bp->address_list) { list_for_each(pos, &bp->address_list) {
len += sizeof(sctp_ipv6addr_param_t); len += sizeof(sctp_addr_param_t);
} }
addrparms.v = kmalloc(len, priority); addrparms.v = kmalloc(len, priority);
...@@ -222,12 +221,11 @@ sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len, ...@@ -222,12 +221,11 @@ sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len,
goto end_raw; goto end_raw;
retval = addrparms; retval = addrparms;
rawaddr.v4 = &rawaddr_space.v4;
list_for_each(pos, &bp->address_list) { list_for_each(pos, &bp->address_list) {
addr = list_entry(pos, struct sockaddr_storage_list, list); addr = list_entry(pos, struct sockaddr_storage_list, list);
len = sockaddr2sctp_addr(&addr->a, rawaddr); len = sockaddr2sctp_addr(&addr->a, &rawaddr);
memcpy(addrparms.v, rawaddr.v, len); memcpy(addrparms.v, &rawaddr, len);
addrparms.v += len; addrparms.v += len;
addrparms_len += len; addrparms_len += len;
} }
...@@ -244,33 +242,39 @@ sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len, ...@@ -244,33 +242,39 @@ sctpParam_t sctp_bind_addrs_to_raw(const sctp_bind_addr_t *bp, int *addrs_len,
int sctp_raw_to_bind_addrs(sctp_bind_addr_t *bp, __u8 *raw_addr_list, int sctp_raw_to_bind_addrs(sctp_bind_addr_t *bp, __u8 *raw_addr_list,
int addrs_len, __u16 port, int priority) int addrs_len, __u16 port, int priority)
{ {
sctpParam_t rawaddr; sctp_addr_param_t *rawaddr;
sctp_paramhdr_t *param;
sockaddr_storage_t addr; sockaddr_storage_t addr;
int retval = 0; int retval = 0;
int len; int len;
/* Convert the raw address to standard address format */ /* Convert the raw address to standard address format */
while (addrs_len) { while (addrs_len) {
rawaddr.v = raw_addr_list; param = (sctp_paramhdr_t *)raw_addr_list;
if (SCTP_PARAM_IPV4_ADDRESS==rawaddr.p->type rawaddr = (sctp_addr_param_t *)raw_addr_list;
|| SCTP_PARAM_IPV6_ADDRESS==rawaddr.p->type) {
switch (param->type) {
case SCTP_PARAM_IPV4_ADDRESS:
case SCTP_PARAM_IPV6_ADDRESS:
sctp_param2sockaddr(&addr, rawaddr, port); sctp_param2sockaddr(&addr, rawaddr, port);
retval = sctp_add_bind_addr(bp, &addr, priority); retval = sctp_add_bind_addr(bp, &addr, priority);
if (retval) { if (retval) {
/* Can't finish building the list, clean up. */ /* Can't finish building the list, clean up. */
sctp_bind_addr_clean(bp); sctp_bind_addr_clean(bp);
break; break;;
} }
len = ntohs(param->length);
len = ntohs(rawaddr.p->length);
addrs_len -= len; addrs_len -= len;
raw_addr_list += len; raw_addr_list += len;
} else { break;
default:
/* Corrupted raw addr list! */ /* Corrupted raw addr list! */
retval = -EINVAL; retval = -EINVAL;
sctp_bind_addr_clean(bp); sctp_bind_addr_clean(bp);
break; break;
} }
if (retval)
break;
} }
return retval; return retval;
......
...@@ -584,14 +584,20 @@ static sctp_association_t *__sctp_rcv_initack_lookup(struct sk_buff *skb, ...@@ -584,14 +584,20 @@ static sctp_association_t *__sctp_rcv_initack_lookup(struct sk_buff *skb,
struct sctphdr *sh = (struct sctphdr *) skb->h.raw; struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
sctp_chunkhdr_t *ch; sctp_chunkhdr_t *ch;
__u8 *ch_end, *data; __u8 *ch_end, *data;
sctpParam_t parm; sctp_paramhdr_t *parm;
ch = (sctp_chunkhdr_t *) skb->data; ch = (sctp_chunkhdr_t *) skb->data;
ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length)); ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
if (SCTP_CID_INIT_ACK != ch->type) /* If this is INIT/INIT-ACK look inside the chunk too. */
switch (ch->type) {
case SCTP_CID_INIT:
case SCTP_CID_INIT_ACK:
break;
default:
return NULL; return NULL;
}
/* /*
* This code will NOT touch anything inside the chunk--it is * This code will NOT touch anything inside the chunk--it is
...@@ -609,25 +615,24 @@ static sctp_association_t *__sctp_rcv_initack_lookup(struct sk_buff *skb, ...@@ -609,25 +615,24 @@ static sctp_association_t *__sctp_rcv_initack_lookup(struct sk_buff *skb,
/* Find the start of the TLVs and the end of the chunk. This is /* Find the start of the TLVs and the end of the chunk. This is
* the region we search for address parameters. * the region we search for address parameters.
*/ */
data = skb->data + sizeof(sctp_init_chunk_t); data = skb->data + sizeof(sctp_init_chunk_t);
/* See sctp_process_init() for how to go thru TLVs. */ /* See sctp_process_init() for how to go thru TLVs. */
while (data < ch_end) { while (data < ch_end) {
parm.v = data; parm = (sctp_paramhdr_t *)data;
if (!parm.p->length) if (!parm->length)
break; break;
data += WORD_ROUND(ntohs(parm.p->length)); data += WORD_ROUND(ntohs(parm->length));
/* Note: Ignoring hostname addresses. */ /* Note: Ignoring hostname addresses. */
if ((SCTP_PARAM_IPV4_ADDRESS != parm.p->type) && if ((SCTP_PARAM_IPV4_ADDRESS != parm->type) &&
(SCTP_PARAM_IPV6_ADDRESS != parm.p->type)) (SCTP_PARAM_IPV6_ADDRESS != parm->type))
continue; continue;
sctp_param2sockaddr(paddr, parm, ntohs(sh->source)); sctp_param2sockaddr(paddr, (sctp_addr_param_t *)parm,
ntohs(sh->source));
asoc = __sctp_rcv_lookup_association(laddr, paddr, transportp); asoc = __sctp_rcv_lookup_association(laddr, paddr, transportp);
if (asoc) if (asoc)
return asoc; return asoc;
......
...@@ -1454,7 +1454,7 @@ int sctp_verify_init(const sctp_association_t *asoc, ...@@ -1454,7 +1454,7 @@ int sctp_verify_init(const sctp_association_t *asoc,
return 0; return 0;
} /* for (loop through all parameters) */ } /* for (loop through all parameters) */
return 1; return 1;
} }
...@@ -1710,6 +1710,7 @@ int sctp_process_param(sctp_association_t *asoc, sctpParam_t param, ...@@ -1710,6 +1710,7 @@ int sctp_process_param(sctp_association_t *asoc, sctpParam_t param,
sctp_cid_t cid, int priority) sctp_cid_t cid, int priority)
{ {
sockaddr_storage_t addr; sockaddr_storage_t addr;
sctp_addr_param_t *addrparm;
int j; int j;
int i; int i;
int retval = 1; int retval = 1;
...@@ -1721,24 +1722,23 @@ int sctp_process_param(sctp_association_t *asoc, sctpParam_t param, ...@@ -1721,24 +1722,23 @@ int sctp_process_param(sctp_association_t *asoc, sctpParam_t param,
*/ */
switch (param.p->type) { switch (param.p->type) {
case SCTP_PARAM_IPV4_ADDRESS: case SCTP_PARAM_IPV4_ADDRESS:
if (SCTP_CID_INIT != cid) { addrparm = (sctp_addr_param_t *)param.v;
sctp_param2sockaddr(&addr, param, asoc->peer.port); sctp_param2sockaddr(&addr, addrparm, asoc->peer.port);
scope = sctp_scope(peer_addr); scope = sctp_scope(peer_addr);
if (sctp_in_scope(&addr, scope)) if (sctp_in_scope(&addr, scope))
sctp_assoc_add_peer(asoc, &addr, priority); sctp_assoc_add_peer(asoc, &addr, priority);
}
break; break;
case SCTP_PARAM_IPV6_ADDRESS: case SCTP_PARAM_IPV6_ADDRESS:
if (SCTP_CID_INIT != cid) { /* Rethink this as we may need to keep for
if (PF_INET6 == asoc->base.sk->family) { * restart considerations.
sctp_param2sockaddr(&addr, param, */
asoc->peer.port); if (PF_INET6 == asoc->base.sk->family) {
scope = sctp_scope(peer_addr); addrparm = (sctp_addr_param_t *)param.v;
if (sctp_in_scope(&addr, scope)) sctp_param2sockaddr(&addr, addrparm, asoc->peer.port);
sctp_assoc_add_peer(asoc, &addr, scope = sctp_scope(peer_addr);
priority); if (sctp_in_scope(&addr, scope))
} sctp_assoc_add_peer(asoc, &addr, priority);
} }
break; break;
...@@ -1833,8 +1833,7 @@ __u32 sctp_generate_tag(const sctp_endpoint_t *ep) ...@@ -1833,8 +1833,7 @@ __u32 sctp_generate_tag(const sctp_endpoint_t *ep)
/* Select an initial TSN to send during startup. */ /* Select an initial TSN to send during startup. */
__u32 sctp_generate_tsn(const sctp_endpoint_t *ep) __u32 sctp_generate_tsn(const sctp_endpoint_t *ep)
{ {
/* I believe that this random number generator complies with RFC1750. */ __u32 retval;
__u32 retval;
get_random_bytes(&retval, sizeof(__u32)); get_random_bytes(&retval, sizeof(__u32));
return retval; return retval;
...@@ -1845,26 +1844,27 @@ __u32 sctp_generate_tsn(const sctp_endpoint_t *ep) ...@@ -1845,26 +1844,27 @@ __u32 sctp_generate_tsn(const sctp_endpoint_t *ep)
********************************************************************/ ********************************************************************/
/* Convert from an SCTP IP parameter to a sockaddr_storage_t. */ /* Convert from an SCTP IP parameter to a sockaddr_storage_t. */
void sctp_param2sockaddr(sockaddr_storage_t *addr, sctpParam_t param, __u16 port) void sctp_param2sockaddr(sockaddr_storage_t *addr, sctp_addr_param_t *param,
__u16 port)
{ {
switch(param.p->type) { switch(param->v4.param_hdr.type) {
case SCTP_PARAM_IPV4_ADDRESS: case SCTP_PARAM_IPV4_ADDRESS:
addr->v4.sin_family = AF_INET; addr->v4.sin_family = AF_INET;
addr->v4.sin_port = port; addr->v4.sin_port = port;
addr->v4.sin_addr.s_addr = param.v4->addr.s_addr; addr->v4.sin_addr.s_addr = param->v4.addr.s_addr;
break; break;
case SCTP_PARAM_IPV6_ADDRESS: case SCTP_PARAM_IPV6_ADDRESS:
addr->v6.sin6_family = AF_INET6; addr->v6.sin6_family = AF_INET6;
addr->v6.sin6_port = port; addr->v6.sin6_port = port;
addr->v6.sin6_flowinfo = 0; /* BUG */ addr->v6.sin6_flowinfo = 0; /* BUG */
addr->v6.sin6_addr = param.v6->addr; addr->v6.sin6_addr = param->v6.addr;
addr->v6.sin6_scope_id = 0; /* BUG */ addr->v6.sin6_scope_id = 0; /* BUG */
break; break;
default: default:
SCTP_DEBUG_PRINTK("Illegal address type %d\n", SCTP_DEBUG_PRINTK("Illegal address type %d\n",
ntohs(param.p->type)); ntohs(param->v4.param_hdr.type));
break; break;
}; };
} }
...@@ -1904,11 +1904,9 @@ int ipver2af(__u8 ipver) ...@@ -1904,11 +1904,9 @@ int ipver2af(__u8 ipver)
case 4: case 4:
family = AF_INET; family = AF_INET;
break; break;
case 6: case 6:
family = AF_INET6; family = AF_INET6;
break; break;
default: default:
family = 0; family = 0;
break; break;
...@@ -1917,25 +1915,26 @@ int ipver2af(__u8 ipver) ...@@ -1917,25 +1915,26 @@ int ipver2af(__u8 ipver)
return family; return family;
} }
/* Convert a sockaddr_in to IP address in an SCTP para. */ /* Convert a sockaddr_in to an IP address in an SCTP param.
/* Returns true if a valid conversion was possible. */ * Returns len if a valid conversion was possible.
int sockaddr2sctp_addr(const sockaddr_storage_t *sa, sctpParam_t p) */
int sockaddr2sctp_addr(const sockaddr_storage_t *sa, sctp_addr_param_t *p)
{ {
int len = 0; int len = 0;
switch (sa->v4.sin_family) { switch (sa->v4.sin_family) {
case AF_INET: case AF_INET:
p.p->type = SCTP_PARAM_IPV4_ADDRESS; p->v4.param_hdr.type = SCTP_PARAM_IPV4_ADDRESS;
p.p->length = ntohs(sizeof(sctp_ipv4addr_param_t)); p->v4.param_hdr.length = ntohs(sizeof(sctp_ipv4addr_param_t));
len = sizeof(sctp_ipv4addr_param_t); len = sizeof(sctp_ipv4addr_param_t);
p.v4->addr.s_addr = sa->v4.sin_addr.s_addr; p->v4.addr.s_addr = sa->v4.sin_addr.s_addr;
break; break;
case AF_INET6: case AF_INET6:
p.p->type = SCTP_PARAM_IPV6_ADDRESS; p->v6.param_hdr.type = SCTP_PARAM_IPV6_ADDRESS;
p.p->length = ntohs(sizeof(sctp_ipv6addr_param_t)); p->v6.param_hdr.length = ntohs(sizeof(sctp_ipv6addr_param_t));
len = sizeof(sctp_ipv6addr_param_t); len = sizeof(sctp_ipv6addr_param_t);
p.v6->addr = *(&sa->v6.sin6_addr); p->v6.addr = *(&sa->v6.sin6_addr);
break; break;
default: default:
......
...@@ -873,6 +873,105 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const sctp_endpoint_t *ep, ...@@ -873,6 +873,105 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const sctp_endpoint_t *ep,
return SCTP_DISPOSITION_CONSUME; return SCTP_DISPOSITION_CONSUME;
} }
/* Helper function to send out an abort for the restart
* condition.
*/
static int sctp_sf_send_restart_abort(sockaddr_storage_t *ssa,
sctp_chunk_t *init,
sctp_cmd_seq_t *commands)
{
int len;
sctp_packet_t *pkt;
sctp_addr_param_t *addrparm;
sctp_errhdr_t *errhdr;
sctp_endpoint_t *ep;
char buffer[sizeof(sctp_errhdr_t) + sizeof(sctp_addr_param_t)];
/* Build the error on the stack. We are way to malloc
* malloc crazy throughout the code today.
*/
errhdr = (sctp_errhdr_t *)buffer;
addrparm = (sctp_addr_param_t *)errhdr->variable;
/* Copy into a parm format. */
len = sockaddr2sctp_addr(ssa, addrparm);
len += sizeof(sctp_errhdr_t);
errhdr->cause = SCTP_ERROR_RESTART;
errhdr->length = htons(len);
/* Assign to the control socket. */
ep = sctp_sk((sctp_get_ctl_sock()))->ep;
/* Association is NULL since this may be a restart attack and we
* want to send back the attacker's vtag.
*/
pkt = sctp_abort_pkt_new(ep, NULL, init, errhdr, len);
if (!pkt)
goto out;
sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));
/* Discard the rest of the inbound packet. */
sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
out:
/* Even if there is no memory, treat as a failure so
* the packet will get dropped.
*/
return 0;
}
/* A restart is occuring, check to make sure no new addresses
* are being added as we may be under a takeover attack.
*/
static int sctp_sf_check_restart_addrs(const sctp_association_t *new_asoc,
const sctp_association_t *asoc,
sctp_chunk_t *init,
sctp_cmd_seq_t *commands)
{
sctp_transport_t *new_addr, *addr;
struct list_head *pos, *pos2;
int found;
/* Implementor's Guide - Sectin 5.2.2
* ...
* Before responding the endpoint MUST check to see if the
* unexpected INIT adds new addresses to the association. If new
* addresses are added to the association, the endpoint MUST respond
* with an ABORT..
*/
/* Search through all current addresses and make sure
* we aren't adding any new ones.
*/
new_addr = 0;
found = 0;
list_for_each(pos, &new_asoc->peer.transport_addr_list) {
new_addr = list_entry(pos, sctp_transport_t, transports);
found = 0;
list_for_each(pos2, &asoc->peer.transport_addr_list) {
addr = list_entry(pos2, sctp_transport_t, transports);
if (sctp_cmp_addr_exact(&new_addr->ipaddr,
&addr->ipaddr)) {
found = 1;
break;
}
}
if (!found)
break;
}
/* If a new address was added, ABORT the sender. */
if (!found && new_addr) {
sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands);
}
/* Return success if all addresses were found. */
return found;
}
/* Populate the verification/tie tags based on overlapping INIT /* Populate the verification/tie tags based on overlapping INIT
* scenario. * scenario.
* *
...@@ -969,6 +1068,7 @@ static sctp_disposition_t sctp_sf_do_unexpected_init( ...@@ -969,6 +1068,7 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
const sctp_subtype_t type, const sctp_subtype_t type,
void *arg, sctp_cmd_seq_t *commands) void *arg, sctp_cmd_seq_t *commands)
{ {
sctp_disposition_t retval;
sctp_chunk_t *chunk = arg; sctp_chunk_t *chunk = arg;
sctp_chunk_t *repl; sctp_chunk_t *repl;
sctp_association_t *new_asoc; sctp_association_t *new_asoc;
...@@ -1006,15 +1106,14 @@ static sctp_disposition_t sctp_sf_do_unexpected_init( ...@@ -1006,15 +1106,14 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
ntohs(err_chunk->chunk_hdr->length) - ntohs(err_chunk->chunk_hdr->length) -
sizeof(sctp_chunkhdr_t)); sizeof(sctp_chunkhdr_t));
sctp_free_chunk(err_chunk);
if (packet) { if (packet) {
sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
SCTP_PACKET(packet)); SCTP_PACKET(packet));
return SCTP_DISPOSITION_CONSUME; retval = SCTP_DISPOSITION_CONSUME;
} else { } else {
return SCTP_DISPOSITION_NOMEM; retval = SCTP_DISPOSITION_NOMEM;
} }
goto cleanup;
} else { } else {
return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, return sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
commands); commands);
...@@ -1039,6 +1138,19 @@ static sctp_disposition_t sctp_sf_do_unexpected_init( ...@@ -1039,6 +1138,19 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
sctp_process_init(new_asoc, chunk->chunk_hdr->type, sctp_source(chunk), sctp_process_init(new_asoc, chunk->chunk_hdr->type, sctp_source(chunk),
(sctp_init_chunk_t *)chunk->chunk_hdr, GFP_ATOMIC); (sctp_init_chunk_t *)chunk->chunk_hdr, GFP_ATOMIC);
/* Make sure no new addresses are being added during the
* restart. Do not do this check for COOKIE-WAIT state,
* since there are no peer addresses to check against.
* Upon return an ABORT will have been sent if needed.
*/
if (asoc->state != SCTP_STATE_COOKIE_WAIT) {
if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
commands)) {
retval = SCTP_DISPOSITION_CONSUME;
goto cleanup_asoc;
}
}
sctp_tietags_populate(new_asoc, asoc); sctp_tietags_populate(new_asoc, asoc);
/* B) "Z" shall respond immediately with an INIT ACK chunk. */ /* B) "Z" shall respond immediately with an INIT ACK chunk. */
...@@ -1086,13 +1198,18 @@ static sctp_disposition_t sctp_sf_do_unexpected_init( ...@@ -1086,13 +1198,18 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
* Otherwise, "Z" will be vulnerable to resource attacks. * Otherwise, "Z" will be vulnerable to resource attacks.
*/ */
sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL()); sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
return SCTP_DISPOSITION_CONSUME; retval = SCTP_DISPOSITION_CONSUME;
nomem: cleanup:
if (err_chunk) if (err_chunk)
sctp_free_chunk(err_chunk); sctp_free_chunk(err_chunk);
return retval;
return SCTP_DISPOSITION_NOMEM; nomem:
retval = SCTP_DISPOSITION_NOMEM;
goto cleanup;
cleanup_asoc:
sctp_association_free(new_asoc);
goto cleanup;
} }
/* /*
...@@ -1198,6 +1315,8 @@ sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const sctp_endpoint_t *ep, ...@@ -1198,6 +1315,8 @@ sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const sctp_endpoint_t *ep,
return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands); return sctp_sf_do_unexpected_init(ep, asoc, type, arg, commands);
} }
/* Unexpected COOKIE-ECHO handlerfor peer restart (Table 2, action 'A') /* Unexpected COOKIE-ECHO handlerfor peer restart (Table 2, action 'A')
* *
* Section 5.2.4 * Section 5.2.4
...@@ -1212,9 +1331,6 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const sctp_endpoint_t *ep, ...@@ -1212,9 +1331,6 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const sctp_endpoint_t *ep,
sctp_init_chunk_t *peer_init; sctp_init_chunk_t *peer_init;
sctp_ulpevent_t *ev; sctp_ulpevent_t *ev;
sctp_chunk_t *repl; sctp_chunk_t *repl;
sctp_transport_t *new_addr, *addr;
struct list_head *pos, *pos2, *temp;
int found, error;
/* new_asoc is a brand-new association, so these are not yet /* new_asoc is a brand-new association, so these are not yet
* side effects--it is safe to run them here. * side effects--it is safe to run them here.
...@@ -1223,60 +1339,14 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const sctp_endpoint_t *ep, ...@@ -1223,60 +1339,14 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const sctp_endpoint_t *ep,
sctp_process_init(new_asoc, chunk->chunk_hdr->type, sctp_process_init(new_asoc, chunk->chunk_hdr->type,
sctp_source(chunk), peer_init, GFP_ATOMIC); sctp_source(chunk), peer_init, GFP_ATOMIC);
/* Make sure peer is not adding new addresses. */ /* Make sure no new addresses are being added during the
found = 0; * restart. Though this is a pretty complicated attack
new_addr = NULL; * since you'd have to get inside the cookie.
list_for_each(pos, &new_asoc->peer.transport_addr_list) { */
new_addr = list_entry(pos, sctp_transport_t, transports); if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
found = 0; printk("cookie echo check\n");
list_for_each_safe(pos2, temp,
&asoc->peer.transport_addr_list) {
addr = list_entry(pos2, sctp_transport_t, transports);
if (sctp_cmp_addr_exact(&new_addr->ipaddr,
&addr->ipaddr)) {
found = 1;
break;
}
}
if (!found)
break;
}
if (!found) {
sctp_bind_addr_t *bp;
sctpParam_t rawaddr;
int len;
bp = sctp_bind_addr_new(GFP_ATOMIC);
if (!bp)
goto nomem;
error = sctp_add_bind_addr(bp, &new_addr->ipaddr, GFP_ATOMIC);
if (error)
goto nomem_add;
rawaddr = sctp_bind_addrs_to_raw(bp, &len, GFP_ATOMIC);
if (!rawaddr.v)
goto nomem_raw;
repl = sctp_make_abort(asoc, chunk, len+sizeof(sctp_errhdr_t));
if (!repl)
goto nomem_abort;
sctp_init_cause(repl, SCTP_ERROR_RESTART, rawaddr.v, len);
sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
/* Discard the rest of the packet too. */
sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,
SCTP_NULL());
return SCTP_DISPOSITION_CONSUME; return SCTP_DISPOSITION_CONSUME;
}
nomem_abort:
kfree(rawaddr.v);
nomem_raw:
nomem_add:
sctp_bind_addr_free(bp);
goto nomem;
}
/* For now, fail any unsent/unacked data. Consider the optional /* For now, fail any unsent/unacked data. Consider the optional
* choice of resending of this data. * choice of resending of this data.
...@@ -1305,7 +1375,6 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const sctp_endpoint_t *ep, ...@@ -1305,7 +1375,6 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const sctp_endpoint_t *ep,
nomem_ev: nomem_ev:
sctp_free_chunk(repl); sctp_free_chunk(repl);
nomem: nomem:
return SCTP_DISPOSITION_NOMEM; return SCTP_DISPOSITION_NOMEM;
} }
...@@ -2529,7 +2598,7 @@ sctp_disposition_t sctp_sf_tabort_8_4_8(const sctp_endpoint_t *ep, ...@@ -2529,7 +2598,7 @@ sctp_disposition_t sctp_sf_tabort_8_4_8(const sctp_endpoint_t *ep,
if (packet) { if (packet) {
/* Make an ABORT. The T bit will be set if the asoc /* Make an ABORT. The T bit will be set if the asoc
* is NULL. * is NULL.
*/ */
abort = sctp_make_abort(asoc, chunk, 0); abort = sctp_make_abort(asoc, chunk, 0);
if (!abort) { if (!abort) {
sctp_ootb_pkt_free(packet); sctp_ootb_pkt_free(packet);
...@@ -4092,10 +4161,10 @@ sctp_sackhdr_t *sctp_sm_pull_sack(sctp_chunk_t *chunk) ...@@ -4092,10 +4161,10 @@ sctp_sackhdr_t *sctp_sm_pull_sack(sctp_chunk_t *chunk)
* error causes. * error causes.
*/ */
sctp_packet_t *sctp_abort_pkt_new(const sctp_endpoint_t *ep, sctp_packet_t *sctp_abort_pkt_new(const sctp_endpoint_t *ep,
const sctp_association_t *asoc, const sctp_association_t *asoc,
sctp_chunk_t *chunk, sctp_chunk_t *chunk,
const void *payload, const void *payload,
size_t paylen) size_t paylen)
{ {
sctp_packet_t *packet; sctp_packet_t *packet;
sctp_chunk_t *abort; sctp_chunk_t *abort;
...@@ -4128,7 +4197,7 @@ sctp_packet_t *sctp_abort_pkt_new(const sctp_endpoint_t *ep, ...@@ -4128,7 +4197,7 @@ sctp_packet_t *sctp_abort_pkt_new(const sctp_endpoint_t *ep,
/* Allocate a packet for responding in the OOTB conditions. */ /* Allocate a packet for responding in the OOTB conditions. */
sctp_packet_t *sctp_ootb_pkt_new(const sctp_association_t *asoc, sctp_packet_t *sctp_ootb_pkt_new(const sctp_association_t *asoc,
const sctp_chunk_t *chunk) const sctp_chunk_t *chunk)
{ {
sctp_packet_t *packet; sctp_packet_t *packet;
sctp_transport_t *transport; sctp_transport_t *transport;
...@@ -4146,7 +4215,14 @@ sctp_packet_t *sctp_ootb_pkt_new(const sctp_association_t *asoc, ...@@ -4146,7 +4215,14 @@ sctp_packet_t *sctp_ootb_pkt_new(const sctp_association_t *asoc,
if (asoc) { if (asoc) {
vtag = asoc->peer.i.init_tag; vtag = asoc->peer.i.init_tag;
} else { } else {
vtag = ntohl(chunk->sctp_hdr->vtag); /* Special case the INIT as there is no vtag yet. */
if (SCTP_CID_INIT == chunk->chunk_hdr->type) {
sctp_init_chunk_t *init;
init = (sctp_init_chunk_t *)&chunk->chunk_hdr;
vtag = ntohl(init->init_hdr.init_tag);
} else {
vtag = ntohl(chunk->sctp_hdr->vtag);
}
} }
/* Make a transport for the bucket, Eliza... */ /* Make a transport for the bucket, Eliza... */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment