diff options
author | Shan Wei <shanwei@cn.fujitsu.com> | 2011-04-19 17:26:26 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-04-20 04:51:02 -0400 |
commit | 96ca468b86b09aa6a001ac65dba93a6c4a3692a5 (patch) | |
tree | 2fe288fb35d4dd0faa0cd9ea0fd6c32690ec387d | |
parent | 8a00be1c89cc17fda5f438794ff27449af6f00f1 (diff) |
sctp: check invalid value of length parameter in error cause
RFC4960, section 3.3.7 said:
If an endpoint receives an ABORT with a format error or no TCB is
found, it MUST silently discard it.
When an endpoint receives ABORT that parameter value is invalid,
drop it.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/sctp/sm_statefuns.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index fe2036d79f5..194d5ecab5c 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
@@ -2412,8 +2412,15 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep, | |||
2412 | 2412 | ||
2413 | /* See if we have an error cause code in the chunk. */ | 2413 | /* See if we have an error cause code in the chunk. */ |
2414 | len = ntohs(chunk->chunk_hdr->length); | 2414 | len = ntohs(chunk->chunk_hdr->length); |
2415 | if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) | 2415 | if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { |
2416 | |||
2417 | sctp_errhdr_t *err; | ||
2418 | sctp_walk_errors(err, chunk->chunk_hdr); | ||
2419 | if ((void *)err != (void *)chunk->chunk_end) | ||
2420 | return sctp_sf_pdiscard(ep, asoc, type, arg, commands); | ||
2421 | |||
2416 | error = ((sctp_errhdr_t *)chunk->skb->data)->cause; | 2422 | error = ((sctp_errhdr_t *)chunk->skb->data)->cause; |
2423 | } | ||
2417 | 2424 | ||
2418 | sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); | 2425 | sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); |
2419 | /* ASSOC_FAILED will DELETE_TCB. */ | 2426 | /* ASSOC_FAILED will DELETE_TCB. */ |