On Thu, 2018-05-24 at 11:37 +0200, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Xin Long lucien.xin@gmail.com
[ Upstream commit 59d8d4434f429b4fa8a346fd889058bda427a837 ]
Now sctp only delays the authentication for the normal cookie-echo chunk by setting chunk->auth_chunk in sctp_endpoint_bh_rcv(). But for the duplicated one with auth, in sctp_assoc_bh_rcv(), it does authentication first based on the old asoc, which will definitely fail due to the different auth info in the old asoc.
[...]
--- a/net/sctp/associola.c +++ b/net/sctp/associola.c @@ -1000,9 +1000,10 @@ static void sctp_assoc_bh_rcv(struct wor struct sctp_endpoint *ep; struct sctp_chunk *chunk; struct sctp_inq *inqueue;
- int state;
sctp_subtype_t subtype;
- int first_time = 1; /* is this the first time through the loop */
int error = 0;
- int state;
/* The association should be held so we should be safe. */ ep = asoc->ep; @@ -1013,6 +1014,30 @@ static void sctp_assoc_bh_rcv(struct wor state = asoc->state; subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type);
/* If the first chunk in the packet is AUTH, do special* processing specified in Section 6.3 of SCTP-AUTH spec*/if (first_time && subtype.chunk == SCTP_CID_AUTH) {struct sctp_chunkhdr *next_hdr;next_hdr = sctp_inq_peek(inqueue);if (!next_hdr)goto normal;/* If the next chunk is COOKIE-ECHO, skip the AUTH* chunk while saving a pointer to it so we can do* Authentication later (during cookie-echo* processing).*/if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {chunk->auth_chunk = skb_clone(chunk->skb,GFP_ATOMIC);chunk->auth = 1;
Doesn't the first_time flag need to be cleared here (and before the other continue statement in this loop)?
Ben.
continue;}}+normal:
[...]