sctp: fix to check the source address of COOKIE-ECHO chunk

SCTP does not check whether the source address of COOKIE-ECHO chunk is the original address of INIT chunk or part of the any address parameters saved in COOKIE in CLOSED state. So even if the COOKIE-ECHO chunk is from any address but with correct COOKIE, the COOKIE-ECHO chunk still be accepted. If the COOKIE is not from a valid address, the assoc should not be established. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Wei Yongjun <yjwei@cn.fujitsu.com> 2011-04-19 17:30:51 -0400
committer: David S. Miller <davem@davemloft.net> 2011-04-20 04:51:05 -0400
commit: de6becdc0844ff92b38ffd9f0c4db1d3de02835f (patch)
tree: f52df91a347ece7e4efc09ca2974e8e38f38a3f8 /net/sctp/sm_make_chunk.c
parent: 85c5ed4e44a262344ce43b4bf23204107923ca95 (diff)
1 files changed, 21 insertions, 5 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f87ccb11a520..a7b65e9e44b3 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2242,14 +2242,17 @@ int sctp_verify_init(const struct sctp_association *asoc,
 * Returns 0 on failure, else success.
 * FIXME:  This is an association method.
 */
-int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
+int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
                      const union sctp_addr *peer_addr,
                      sctp_init_chunk_t *peer_init, gfp_t gfp)
 {
        union sctp_params param;
        struct sctp_transport *transport;
        struct list_head *pos, *temp;
+        struct sctp_af *af;
+        union sctp_addr addr;
        char *cookie;
+        int src_match = 0;
        /* We must include the address that the INIT packet came from.
         * This is the only address that matters for an INIT packet.
@@ -2261,18 +2264,31 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
         * added as the primary transport.  The source address seems to
         * be a a better choice than any of the embedded addresses.
         */
-        if (peer_addr) {
+        if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
-                if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
+                goto nomem;
-                        goto nomem;
-        }
+        if (sctp_cmp_addr_exact(sctp_source(chunk), peer_addr))
+                src_match = 1;
        /* Process the initialization parameters.  */
        sctp_walk_params(param, peer_init, init_hdr.params) {
+                if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+                    param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
+                        af = sctp_get_af_specific(param_type2af(param.p->type));
+                        af->from_addr_param(&addr, param.addr,
+                                            chunk->sctp_hdr->source, 0);
+                        if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
+                                src_match = 1;
+                }
                if (!sctp_process_param(asoc, param, peer_addr, gfp))
                        goto clean_up;
        }
+        /* source address of chunk may not match any valid address */
+        if (!src_match)
+                goto clean_up;
        /* AUTH: After processing the parameters, make sure that we
         * have all the required info to potentially do authentications.
         */
author	Wei Yongjun <yjwei@cn.fujitsu.com>	2011-04-19 17:30:51 -0400
committer	David S. Miller <davem@davemloft.net>	2011-04-20 04:51:05 -0400
commit	de6becdc0844ff92b38ffd9f0c4db1d3de02835f (patch)
tree	f52df91a347ece7e4efc09ca2974e8e38f38a3f8 /net/sctp/sm_make_chunk.c
parent	85c5ed4e44a262344ce43b4bf23204107923ca95 (diff)

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index f87ccb11a520..a7b65e9e44b3 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c
@@ -2242,14 +2242,17 @@ int sctp_verify_init(const struct sctp_association *asoc,
2242	* Returns 0 on failure, else success.	2242	* Returns 0 on failure, else success.
2243	* FIXME: This is an association method.	2243	* FIXME: This is an association method.
2244	*/	2244	*/
2245	int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,	2245	int sctp_process_init(struct sctp_association asoc, struct sctp_chunk chunk,
2246	const union sctp_addr *peer_addr,	2246	const union sctp_addr *peer_addr,
2247	sctp_init_chunk_t *peer_init, gfp_t gfp)	2247	sctp_init_chunk_t *peer_init, gfp_t gfp)
2248	{	2248	{
2249	union sctp_params param;	2249	union sctp_params param;
2250	struct sctp_transport *transport;	2250	struct sctp_transport *transport;
2251	struct list_head pos, temp;	2251	struct list_head pos, temp;
		2252	struct sctp_af *af;
		2253	union sctp_addr addr;
2252	char *cookie;	2254	char *cookie;
		2255	int src_match = 0;
2253		2256
2254	/* We must include the address that the INIT packet came from.	2257	/* We must include the address that the INIT packet came from.
2255	* This is the only address that matters for an INIT packet.	2258	* This is the only address that matters for an INIT packet.
@@ -2261,18 +2264,31 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
2261	* added as the primary transport. The source address seems to	2264	* added as the primary transport. The source address seems to
2262	* be a a better choice than any of the embedded addresses.	2265	* be a a better choice than any of the embedded addresses.
2263	*/	2266	*/
2264	if (peer_addr) {	2267	if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
2265	if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))	2268	goto nomem;
2266	goto nomem;	2269
2267	}	2270	if (sctp_cmp_addr_exact(sctp_source(chunk), peer_addr))
		2271	src_match = 1;
2268		2272
2269	/* Process the initialization parameters. */	2273	/* Process the initialization parameters. */
2270	sctp_walk_params(param, peer_init, init_hdr.params) {	2274	sctp_walk_params(param, peer_init, init_hdr.params) {
		2275	if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS \|\|
		2276	param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
		2277	af = sctp_get_af_specific(param_type2af(param.p->type));
		2278	af->from_addr_param(&addr, param.addr,
		2279	chunk->sctp_hdr->source, 0);
		2280	if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
		2281	src_match = 1;
		2282	}
2271		2283
2272	if (!sctp_process_param(asoc, param, peer_addr, gfp))	2284	if (!sctp_process_param(asoc, param, peer_addr, gfp))
2273	goto clean_up;	2285	goto clean_up;
2274	}	2286	}
2275		2287
		2288	/* source address of chunk may not match any valid address */
		2289	if (!src_match)
		2290	goto clean_up;
		2291
2276	/* AUTH: After processing the parameters, make sure that we	2292	/* AUTH: After processing the parameters, make sure that we
2277	* have all the required info to potentially do authentications.	2293	* have all the required info to potentially do authentications.
2278	*/	2294	*/