Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
386f9ab3
Commit
386f9ab3
authored
Jun 03, 2004
by
Sridhar Samudrala
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[SCTP] Fix missing VTAG validation on certain incoming packets.
parent
13ee2364
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
51 additions
and
74 deletions
+51
-74
include/net/sctp/sm.h
include/net/sctp/sm.h
+17
-0
net/sctp/sm_statefuns.c
net/sctp/sm_statefuns.c
+34
-74
No files found.
include/net/sctp/sm.h
View file @
386f9ab3
...
@@ -440,6 +440,23 @@ static inline void sctp_add_cmd_sf(sctp_cmd_seq_t *seq, sctp_verb_t verb, sctp_a
...
@@ -440,6 +440,23 @@ static inline void sctp_add_cmd_sf(sctp_cmd_seq_t *seq, sctp_verb_t verb, sctp_a
BUG
();
BUG
();
}
}
/* Check VTAG of the packet matches the sender's own tag. */
static
inline
int
sctp_vtag_verify
(
const
struct
sctp_chunk
*
chunk
,
const
struct
sctp_association
*
asoc
)
{
/* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint
* MUST ensure that the value in the Verification Tag field of
* the received SCTP packet matches its own Tag. If the received
* Verification Tag value does not match the receiver's own
* tag value, the receiver shall silently discard the packet...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
==
asoc
->
c
.
my_vtag
)
return
1
;
return
0
;
}
/* Check VTAG of the packet matches the sender's own tag OR its peer's
/* Check VTAG of the packet matches the sender's own tag OR its peer's
* tag and the T bit is set in the Chunk Flags.
* tag and the T bit is set in the Chunk Flags.
*/
*/
...
...
net/sctp/sm_statefuns.c
View file @
386f9ab3
...
@@ -171,7 +171,7 @@ sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
...
@@ -171,7 +171,7 @@ sctp_disposition_t sctp_sf_do_4_C(const struct sctp_endpoint *ep,
* Verification Tag field to Tag_A, and also provide its own
* Verification Tag field to Tag_A, and also provide its own
* Verification Tag (Tag_Z) in the Initiate Tag field.
* Verification Tag (Tag_Z) in the Initiate Tag field.
*
*
* Verification Tag:
No checking.
* Verification Tag:
Must be 0.
*
*
* Inputs
* Inputs
* (endpoint, asoc, chunk)
* (endpoint, asoc, chunk)
...
@@ -219,6 +219,12 @@ sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
...
@@ -219,6 +219,12 @@ sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
(
sk
->
sk_ack_backlog
>=
sk
->
sk_max_ack_backlog
)))
(
sk
->
sk_ack_backlog
>=
sk
->
sk_max_ack_backlog
)))
return
sctp_sf_tabort_8_4_8
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_tabort_8_4_8
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
* Tag.
*/
if
(
chunk
->
sctp_hdr
->
vtag
!=
0
)
return
sctp_sf_tabort_8_4_8
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* Verify the INIT chunk before processing it. */
/* Verify the INIT chunk before processing it. */
err_chunk
=
NULL
;
err_chunk
=
NULL
;
if
(
!
sctp_verify_init
(
asoc
,
chunk
->
chunk_hdr
->
type
,
if
(
!
sctp_verify_init
(
asoc
,
chunk
->
chunk_hdr
->
type
,
...
@@ -377,6 +383,9 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
...
@@ -377,6 +383,9 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
if
(
!
chunk
->
singleton
)
if
(
!
chunk
->
singleton
)
return
SCTP_DISPOSITION_VIOLATION
;
return
SCTP_DISPOSITION_VIOLATION
;
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* Grab the INIT header. */
/* Grab the INIT header. */
chunk
->
subh
.
init_hdr
=
(
sctp_inithdr_t
*
)
chunk
->
skb
->
data
;
chunk
->
subh
.
init_hdr
=
(
sctp_inithdr_t
*
)
chunk
->
skb
->
data
;
...
@@ -659,8 +668,12 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
...
@@ -659,8 +668,12 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(const struct sctp_endpoint *ep,
const
sctp_subtype_t
type
,
void
*
arg
,
const
sctp_subtype_t
type
,
void
*
arg
,
sctp_cmd_seq_t
*
commands
)
sctp_cmd_seq_t
*
commands
)
{
{
struct
sctp_chunk
*
chunk
=
arg
;
struct
sctp_ulpevent
*
ev
;
struct
sctp_ulpevent
*
ev
;
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* RFC 2960 5.1 Normal Establishment of an Association
/* RFC 2960 5.1 Normal Establishment of an Association
*
*
* E) Upon reception of the COOKIE ACK, endpoint "A" will move
* E) Upon reception of the COOKIE ACK, endpoint "A" will move
...
@@ -807,13 +820,7 @@ sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
...
@@ -807,13 +820,7 @@ sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
struct
sctp_chunk
*
reply
;
struct
sctp_chunk
*
reply
;
size_t
paylen
=
0
;
size_t
paylen
=
0
;
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. If the received
* Verification Tag value does not match the receiver's own
* tag value, the receiver shall silently discard the packet...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* 8.3 The receiver of the HEARTBEAT should immediately
/* 8.3 The receiver of the HEARTBEAT should immediately
...
@@ -876,11 +883,7 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
...
@@ -876,11 +883,7 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
sctp_sender_hb_info_t
*
hbinfo
;
sctp_sender_hb_info_t
*
hbinfo
;
unsigned
long
max_interval
;
unsigned
long
max_interval
;
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. ...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
hbinfo
=
(
sctp_sender_hb_info_t
*
)
chunk
->
skb
->
data
;
hbinfo
=
(
sctp_sender_hb_info_t
*
)
chunk
->
skb
->
data
;
...
@@ -1130,6 +1133,12 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
...
@@ -1130,6 +1133,12 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
if
(
!
chunk
->
singleton
)
if
(
!
chunk
->
singleton
)
return
SCTP_DISPOSITION_VIOLATION
;
return
SCTP_DISPOSITION_VIOLATION
;
/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
* Tag.
*/
if
(
chunk
->
sctp_hdr
->
vtag
!=
0
)
return
sctp_sf_tabort_8_4_8
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* Grab the INIT header. */
/* Grab the INIT header. */
chunk
->
subh
.
init_hdr
=
(
sctp_inithdr_t
*
)
chunk
->
skb
->
data
;
chunk
->
subh
.
init_hdr
=
(
sctp_inithdr_t
*
)
chunk
->
skb
->
data
;
...
@@ -2099,13 +2108,7 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
...
@@ -2099,13 +2108,7 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
skb_pull
(
chunk
->
skb
,
sizeof
(
sctp_shutdownhdr_t
));
skb_pull
(
chunk
->
skb
,
sizeof
(
sctp_shutdownhdr_t
));
chunk
->
subh
.
shutdown_hdr
=
sdh
;
chunk
->
subh
.
shutdown_hdr
=
sdh
;
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. If the received
* Verification Tag value does not match the receiver's own
* tag value, the receiver shall silently discard the packet...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* Upon the reception of the SHUTDOWN, the peer endpoint shall
/* Upon the reception of the SHUTDOWN, the peer endpoint shall
...
@@ -2218,13 +2221,7 @@ sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
...
@@ -2218,13 +2221,7 @@ sctp_disposition_t sctp_sf_do_ecn_cwr(const struct sctp_endpoint *ep,
sctp_cwrhdr_t
*
cwr
;
sctp_cwrhdr_t
*
cwr
;
struct
sctp_chunk
*
chunk
=
arg
;
struct
sctp_chunk
*
chunk
=
arg
;
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. If the received
* Verification Tag value does not match the receiver's own
* tag value, the receiver shall silently discard the packet...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
cwr
=
(
sctp_cwrhdr_t
*
)
chunk
->
skb
->
data
;
cwr
=
(
sctp_cwrhdr_t
*
)
chunk
->
skb
->
data
;
...
@@ -2274,13 +2271,7 @@ sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
...
@@ -2274,13 +2271,7 @@ sctp_disposition_t sctp_sf_do_ecne(const struct sctp_endpoint *ep,
sctp_ecnehdr_t
*
ecne
;
sctp_ecnehdr_t
*
ecne
;
struct
sctp_chunk
*
chunk
=
arg
;
struct
sctp_chunk
*
chunk
=
arg
;
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. If the received
* Verification Tag value does not match the receiver's own
* tag value, the receiver shall silently discard the packet...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
ecne
=
(
sctp_ecnehdr_t
*
)
chunk
->
skb
->
data
;
ecne
=
(
sctp_ecnehdr_t
*
)
chunk
->
skb
->
data
;
...
@@ -2337,13 +2328,7 @@ sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
...
@@ -2337,13 +2328,7 @@ sctp_disposition_t sctp_sf_eat_data_6_2(const struct sctp_endpoint *ep,
int
tmp
;
int
tmp
;
__u32
tsn
;
__u32
tsn
;
/* RFC 2960 8.5 Verification Tag
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
{
*
* When receiving an SCTP packet, the endpoint MUST ensure
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag.
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
{
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
SCTP_NULL
());
SCTP_NULL
());
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
...
@@ -2597,13 +2582,7 @@ sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
...
@@ -2597,13 +2582,7 @@ sctp_disposition_t sctp_sf_eat_data_fast_4_4(const struct sctp_endpoint *ep,
int
tmp
;
int
tmp
;
__u32
tsn
;
__u32
tsn
;
/* RFC 2960 8.5 Verification Tag
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
{
*
* When receiving an SCTP packet, the endpoint MUST ensure
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag.
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
{
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
SCTP_NULL
());
SCTP_NULL
());
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
...
@@ -2773,11 +2752,7 @@ sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
...
@@ -2773,11 +2752,7 @@ sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
sctp_sackhdr_t
*
sackh
;
sctp_sackhdr_t
*
sackh
;
__u32
ctsn
;
__u32
ctsn
;
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. ...
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* Pull the SACK chunk from the data buffer */
/* Pull the SACK chunk from the data buffer */
...
@@ -2923,6 +2898,9 @@ sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
...
@@ -2923,6 +2898,9 @@ sctp_disposition_t sctp_sf_do_9_2_final(const struct sctp_endpoint *ep,
struct
sctp_chunk
*
reply
;
struct
sctp_chunk
*
reply
;
struct
sctp_ulpevent
*
ev
;
struct
sctp_ulpevent
*
ev
;
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
/* 10.2 H) SHUTDOWN COMPLETE notification
/* 10.2 H) SHUTDOWN COMPLETE notification
*
*
* When SCTP completes the shutdown procedures (section 9.2) this
* When SCTP completes the shutdown procedures (section 9.2) this
...
@@ -3257,13 +3235,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
...
@@ -3257,13 +3235,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
__u16
len
;
__u16
len
;
__u32
tsn
;
__u32
tsn
;
/* RFC 2960 8.5 Verification Tag
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
{
*
* When receiving an SCTP packet, the endpoint MUST ensure
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag.
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
{
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
SCTP_NULL
());
SCTP_NULL
());
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
...
@@ -3321,13 +3293,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
...
@@ -3321,13 +3293,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
__u16
len
;
__u16
len
;
__u32
tsn
;
__u32
tsn
;
/* RFC 2960 8.5 Verification Tag
if
(
!
sctp_vtag_verify
(
chunk
,
asoc
))
{
*
* When receiving an SCTP packet, the endpoint MUST ensure
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag.
*/
if
(
ntohl
(
chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
{
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
sctp_add_cmd_sf
(
commands
,
SCTP_CMD_REPORT_BAD_TAG
,
SCTP_NULL
());
SCTP_NULL
());
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
...
@@ -3404,13 +3370,7 @@ sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
...
@@ -3404,13 +3370,7 @@ sctp_disposition_t sctp_sf_unk_chunk(const struct sctp_endpoint *ep,
SCTP_DEBUG_PRINTK
(
"Processing the unknown chunk id %d.
\n
"
,
type
.
chunk
);
SCTP_DEBUG_PRINTK
(
"Processing the unknown chunk id %d.
\n
"
,
type
.
chunk
);
/* 8.5 When receiving an SCTP packet, the endpoint MUST ensure
if
(
!
sctp_vtag_verify
(
unk_chunk
,
asoc
))
* that the value in the Verification Tag field of the
* received SCTP packet matches its own Tag. If the received
* Verification Tag value does not match the receiver's own
* tag value, the receiver shall silently discard the packet.
*/
if
(
ntohl
(
unk_chunk
->
sctp_hdr
->
vtag
)
!=
asoc
->
c
.
my_vtag
)
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
return
sctp_sf_pdiscard
(
ep
,
asoc
,
type
,
arg
,
commands
);
switch
(
type
.
chunk
&
SCTP_CID_ACTION_MASK
)
{
switch
(
type
.
chunk
&
SCTP_CID_ACTION_MASK
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment