aboutsummaryrefslogtreecommitdiffstats
path: root/net/sctp
diff options
context:
space:
mode:
authorLee A. Roberts <lee.roberts@hp.com>2013-02-27 23:37:27 -0500
committerDavid S. Miller <davem@davemloft.net>2013-02-28 15:34:26 -0500
commit70fc69bc5a54d9776ace7c99d46eb533f8fb6e89 (patch)
tree8720e9ed3e8d91b80dac204d95cf81a3774ba43a /net/sctp
parent726bc6b092da4c093eb74d13c07184b18c1af0f1 (diff)
sctp: fix association hangs due to off-by-one errors in sctp_tsnmap_grow()
In sctp_tsnmap_mark(), correct off-by-one error when calculating size value for sctp_tsnmap_grow(). In sctp_tsnmap_grow(), correct off-by-one error when copying and resizing the tsnmap. If max_tsn_seen is in the LSB of the word, this bit can be lost, causing the corresponding packet to be transmitted again and to be entered as a duplicate into the SCTP reassembly/ordering queues. Change parameter name from "gap" (zero-based index) to "size" (one-based) to enhance code readability. Signed-off-by: Lee A. Roberts <lee.roberts@hp.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com>
Diffstat (limited to 'net/sctp')
-rw-r--r--net/sctp/tsnmap.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/net/sctp/tsnmap.c b/net/sctp/tsnmap.c
index 5f25e0c92c31..396c45174e5b 100644
--- a/net/sctp/tsnmap.c
+++ b/net/sctp/tsnmap.c
@@ -51,7 +51,7 @@
51static void sctp_tsnmap_update(struct sctp_tsnmap *map); 51static void sctp_tsnmap_update(struct sctp_tsnmap *map);
52static void sctp_tsnmap_find_gap_ack(unsigned long *map, __u16 off, 52static void sctp_tsnmap_find_gap_ack(unsigned long *map, __u16 off,
53 __u16 len, __u16 *start, __u16 *end); 53 __u16 len, __u16 *start, __u16 *end);
54static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 gap); 54static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 size);
55 55
56/* Initialize a block of memory as a tsnmap. */ 56/* Initialize a block of memory as a tsnmap. */
57struct sctp_tsnmap *sctp_tsnmap_init(struct sctp_tsnmap *map, __u16 len, 57struct sctp_tsnmap *sctp_tsnmap_init(struct sctp_tsnmap *map, __u16 len,
@@ -124,7 +124,7 @@ int sctp_tsnmap_mark(struct sctp_tsnmap *map, __u32 tsn,
124 124
125 gap = tsn - map->base_tsn; 125 gap = tsn - map->base_tsn;
126 126
127 if (gap >= map->len && !sctp_tsnmap_grow(map, gap)) 127 if (gap >= map->len && !sctp_tsnmap_grow(map, gap + 1))
128 return -ENOMEM; 128 return -ENOMEM;
129 129
130 if (!sctp_tsnmap_has_gap(map) && gap == 0) { 130 if (!sctp_tsnmap_has_gap(map) && gap == 0) {
@@ -360,23 +360,24 @@ __u16 sctp_tsnmap_num_gabs(struct sctp_tsnmap *map,
360 return ngaps; 360 return ngaps;
361} 361}
362 362
363static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 gap) 363static int sctp_tsnmap_grow(struct sctp_tsnmap *map, u16 size)
364{ 364{
365 unsigned long *new; 365 unsigned long *new;
366 unsigned long inc; 366 unsigned long inc;
367 u16 len; 367 u16 len;
368 368
369 if (gap >= SCTP_TSN_MAP_SIZE) 369 if (size > SCTP_TSN_MAP_SIZE)
370 return 0; 370 return 0;
371 371
372 inc = ALIGN((gap - map->len),BITS_PER_LONG) + SCTP_TSN_MAP_INCREMENT; 372 inc = ALIGN((size - map->len), BITS_PER_LONG) + SCTP_TSN_MAP_INCREMENT;
373 len = min_t(u16, map->len + inc, SCTP_TSN_MAP_SIZE); 373 len = min_t(u16, map->len + inc, SCTP_TSN_MAP_SIZE);
374 374
375 new = kzalloc(len>>3, GFP_ATOMIC); 375 new = kzalloc(len>>3, GFP_ATOMIC);
376 if (!new) 376 if (!new)
377 return 0; 377 return 0;
378 378
379 bitmap_copy(new, map->tsn_map, map->max_tsn_seen - map->base_tsn); 379 bitmap_copy(new, map->tsn_map,
380 map->max_tsn_seen - map->cumulative_tsn_ack_point);
380 kfree(map->tsn_map); 381 kfree(map->tsn_map);
381 map->tsn_map = new; 382 map->tsn_map = new;
382 map->len = len; 383 map->len = len;
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-11 22:26:38 -0400