aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>2015-06-11 13:49:46 -0400
committerDavid S. Miller <davem@davemloft.net>2015-06-12 17:18:20 -0400
commitae36806a622aea5ac79f279cfccc82144967b6e7 (patch)
tree7e3cfacb5c43d0394875be466098c387e33357ba /net
parentfb05e7a89f500cfc06ae277bdc911b281928995d (diff)
sctp: allow authenticating DATA chunks that are bundled with COOKIE_ECHO
Currently, we can ask to authenticate DATA chunks and we can send DATA chunks on the same packet as COOKIE_ECHO, but if you try to combine both, the DATA chunk will be sent unauthenticated and peer won't accept it, leading to a communication failure. This happens because even though the data was queued after it was requested to authenticate DATA chunks, it was also queued before we could know that remote peer can handle authenticating, so sctp_auth_send_cid() returns false. The fix is whenever we set up an active key, re-check send queue for chunks that now should be authenticated. As a result, such packet will now contain COOKIE_ECHO + AUTH + DATA chunks, in that order. Reported-by: Liu Wei <weliu@redhat.com> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/sctp/auth.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index fb7976aee61c..4f15b7d730e1 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -381,13 +381,14 @@ nomem:
381} 381}
382 382
383 383
384/* Public interface to creat the association shared key. 384/* Public interface to create the association shared key.
385 * See code above for the algorithm. 385 * See code above for the algorithm.
386 */ 386 */
387int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp) 387int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp)
388{ 388{
389 struct sctp_auth_bytes *secret; 389 struct sctp_auth_bytes *secret;
390 struct sctp_shared_key *ep_key; 390 struct sctp_shared_key *ep_key;
391 struct sctp_chunk *chunk;
391 392
392 /* If we don't support AUTH, or peer is not capable 393 /* If we don't support AUTH, or peer is not capable
393 * we don't need to do anything. 394 * we don't need to do anything.
@@ -410,6 +411,14 @@ int sctp_auth_asoc_init_active_key(struct sctp_association *asoc, gfp_t gfp)
410 sctp_auth_key_put(asoc->asoc_shared_key); 411 sctp_auth_key_put(asoc->asoc_shared_key);
411 asoc->asoc_shared_key = secret; 412 asoc->asoc_shared_key = secret;
412 413
414 /* Update send queue in case any chunk already in there now
415 * needs authenticating
416 */
417 list_for_each_entry(chunk, &asoc->outqueue.out_chunk_list, list) {
418 if (sctp_auth_send_cid(chunk->chunk_hdr->type, asoc))
419 chunk->auth = 1;
420 }
421
413 return 0; 422 return 0;
414} 423}
415 424