diff options
author | Vlad Yasevich <vladislav.yasevich@hp.com> | 2007-10-24 17:24:26 -0400 |
---|---|---|
committer | Vlad Yasevich <vladislav.yasevich@hp.com> | 2007-11-07 11:39:27 -0500 |
commit | 73d9c4fd1a6ec4950b2eac8135d35506bf400d6c (patch) | |
tree | b2d6fe707cdc790c9b42a2487d2892e97c6561ba | |
parent | 88799fe5ec65fad1d5cb1d4dc5d8f78edb949f1c (diff) |
SCTP: Allow ADD_IP to work with AUTH for backward compatibility.
This patch adds a tunable that will allow ADD_IP to work without
AUTH for backward compatibility. The default value is off since
the default value for ADD_IP is off as well. People who need
to use ADD-IP with older implementations take risks of connection
hijacking and should consider upgrading or turning this tunable on.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
-rw-r--r-- | include/net/sctp/structs.h | 2 | ||||
-rw-r--r-- | net/sctp/associola.c | 8 | ||||
-rw-r--r-- | net/sctp/protocol.c | 1 | ||||
-rw-r--r-- | net/sctp/sm_make_chunk.c | 4 | ||||
-rw-r--r-- | net/sctp/sysctl.c | 9 |
5 files changed, 21 insertions, 3 deletions
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 41f1039186dd..44f2672859e2 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h | |||
@@ -212,6 +212,7 @@ extern struct sctp_globals { | |||
212 | 212 | ||
213 | /* Flag to indicate if addip is enabled. */ | 213 | /* Flag to indicate if addip is enabled. */ |
214 | int addip_enable; | 214 | int addip_enable; |
215 | int addip_noauth_enable; | ||
215 | 216 | ||
216 | /* Flag to indicate if PR-SCTP is enabled. */ | 217 | /* Flag to indicate if PR-SCTP is enabled. */ |
217 | int prsctp_enable; | 218 | int prsctp_enable; |
@@ -249,6 +250,7 @@ extern struct sctp_globals { | |||
249 | #define sctp_local_addr_list (sctp_globals.local_addr_list) | 250 | #define sctp_local_addr_list (sctp_globals.local_addr_list) |
250 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) | 251 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) |
251 | #define sctp_addip_enable (sctp_globals.addip_enable) | 252 | #define sctp_addip_enable (sctp_globals.addip_enable) |
253 | #define sctp_addip_noauth (sctp_globals.addip_noauth_enable) | ||
252 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) | 254 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) |
253 | #define sctp_auth_enable (sctp_globals.auth_enable) | 255 | #define sctp_auth_enable (sctp_globals.auth_enable) |
254 | 256 | ||
diff --git a/net/sctp/associola.c b/net/sctp/associola.c index eaad5c5535a8..013e3d3ab0f1 100644 --- a/net/sctp/associola.c +++ b/net/sctp/associola.c | |||
@@ -262,10 +262,14 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a | |||
262 | */ | 262 | */ |
263 | asoc->peer.sack_needed = 1; | 263 | asoc->peer.sack_needed = 1; |
264 | 264 | ||
265 | /* Assume that the peer recongizes ASCONF until reported otherwise | 265 | /* Assume that the peer will tell us if he recognizes ASCONF |
266 | * via an ERROR chunk. | 266 | * as part of INIT exchange. |
267 | * The sctp_addip_noauth option is there for backward compatibilty | ||
268 | * and will revert old behavior. | ||
267 | */ | 269 | */ |
268 | asoc->peer.asconf_capable = 0; | 270 | asoc->peer.asconf_capable = 0; |
271 | if (sctp_addip_noauth) | ||
272 | asoc->peer.asconf_capable = 1; | ||
269 | 273 | ||
270 | /* Create an input queue. */ | 274 | /* Create an input queue. */ |
271 | sctp_inq_init(&asoc->base.inqueue); | 275 | sctp_inq_init(&asoc->base.inqueue); |
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c index 40c1a47d1b8d..ecfab0344e73 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c | |||
@@ -1179,6 +1179,7 @@ SCTP_STATIC __init int sctp_init(void) | |||
1179 | 1179 | ||
1180 | /* Disable ADDIP by default. */ | 1180 | /* Disable ADDIP by default. */ |
1181 | sctp_addip_enable = 0; | 1181 | sctp_addip_enable = 0; |
1182 | sctp_addip_noauth = 0; | ||
1182 | 1183 | ||
1183 | /* Enable PR-SCTP by default. */ | 1184 | /* Enable PR-SCTP by default. */ |
1184 | sctp_prsctp_enable = 1; | 1185 | sctp_prsctp_enable = 1; |
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 2ff3a3df049d..43e8de1228f9 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c | |||
@@ -2137,8 +2137,10 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid, | |||
2137 | 2137 | ||
2138 | /* If the peer claims support for ADD-IP without support | 2138 | /* If the peer claims support for ADD-IP without support |
2139 | * for AUTH, disable support for ADD-IP. | 2139 | * for AUTH, disable support for ADD-IP. |
2140 | * Do this only if backward compatible mode is turned off. | ||
2140 | */ | 2141 | */ |
2141 | if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) { | 2142 | if (!sctp_addip_noauth && |
2143 | (asoc->peer.asconf_capable && !asoc->peer.auth_capable)) { | ||
2142 | asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP | | 2144 | asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP | |
2143 | SCTP_PARAM_DEL_IP | | 2145 | SCTP_PARAM_DEL_IP | |
2144 | SCTP_PARAM_SET_PRIMARY); | 2146 | SCTP_PARAM_SET_PRIMARY); |
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 0669778e4335..da4f15734fb1 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c | |||
@@ -263,6 +263,15 @@ static ctl_table sctp_table[] = { | |||
263 | .proc_handler = &proc_dointvec, | 263 | .proc_handler = &proc_dointvec, |
264 | .strategy = &sysctl_intvec | 264 | .strategy = &sysctl_intvec |
265 | }, | 265 | }, |
266 | { | ||
267 | .ctl_name = CTL_UNNUMBERED, | ||
268 | .procname = "addip_noauth_enable", | ||
269 | .data = &sctp_addip_noauth, | ||
270 | .maxlen = sizeof(int), | ||
271 | .mode = 0644, | ||
272 | .proc_handler = &proc_dointvec, | ||
273 | .strategy = &sysctl_intvec | ||
274 | }, | ||
266 | { .ctl_name = 0 } | 275 | { .ctl_name = 0 } |
267 | }; | 276 | }; |
268 | 277 | ||