diff options
| author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2009-03-02 01:46:51 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-03-03 01:27:39 -0500 |
| commit | 3df2678737974accf437dad11e584c1871a3ede3 (patch) | |
| tree | 30a5946dec870081f36bc0c779a3b5b243349424 /net/sctp/sm_statefuns.c | |
| parent | d1dd524785e30cf3d64d395d829b207376acb0aa (diff) | |
sctp: fix kernel panic with ERROR chunk containing too many error causes
If ERROR chunk is received with too many error causes in ESTABLISHED
state, the kernel get panic.
This is because sctp limit the max length of cmds to 14, but while
ERROR chunk is received, one error cause will add around 2 cmds by
sctp_add_cmd_sf(). So many error causes will fill the limit of cmds
and panic.
This patch fixed the problem.
This bug can be test by SCTP Conformance Test Suite
<http://networktest.sourceforge.net/>.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/sm_statefuns.c')
| -rw-r--r-- | net/sctp/sm_statefuns.c | 16 |
1 files changed, 2 insertions, 14 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 3a0cd075914f..f88dfded0e3a 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
| @@ -3163,7 +3163,6 @@ sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, | |||
| 3163 | sctp_cmd_seq_t *commands) | 3163 | sctp_cmd_seq_t *commands) |
| 3164 | { | 3164 | { |
| 3165 | struct sctp_chunk *chunk = arg; | 3165 | struct sctp_chunk *chunk = arg; |
| 3166 | struct sctp_ulpevent *ev; | ||
| 3167 | 3166 | ||
| 3168 | if (!sctp_vtag_verify(chunk, asoc)) | 3167 | if (!sctp_vtag_verify(chunk, asoc)) |
| 3169 | return sctp_sf_pdiscard(ep, asoc, type, arg, commands); | 3168 | return sctp_sf_pdiscard(ep, asoc, type, arg, commands); |
| @@ -3173,21 +3172,10 @@ sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep, | |||
| 3173 | return sctp_sf_violation_chunklen(ep, asoc, type, arg, | 3172 | return sctp_sf_violation_chunklen(ep, asoc, type, arg, |
| 3174 | commands); | 3173 | commands); |
| 3175 | 3174 | ||
| 3176 | while (chunk->chunk_end > chunk->skb->data) { | 3175 | sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, |
| 3177 | ev = sctp_ulpevent_make_remote_error(asoc, chunk, 0, | 3176 | SCTP_CHUNK(chunk)); |
| 3178 | GFP_ATOMIC); | ||
| 3179 | if (!ev) | ||
| 3180 | goto nomem; | ||
| 3181 | 3177 | ||
| 3182 | sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, | ||
| 3183 | SCTP_ULPEVENT(ev)); | ||
| 3184 | sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR, | ||
| 3185 | SCTP_CHUNK(chunk)); | ||
| 3186 | } | ||
| 3187 | return SCTP_DISPOSITION_CONSUME; | 3178 | return SCTP_DISPOSITION_CONSUME; |
| 3188 | |||
| 3189 | nomem: | ||
| 3190 | return SCTP_DISPOSITION_NOMEM; | ||
| 3191 | } | 3179 | } |
| 3192 | 3180 | ||
| 3193 | /* | 3181 | /* |