diff options
Diffstat (limited to 'net/sctp/sm_statefuns.c')
| -rw-r--r-- | net/sctp/sm_statefuns.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 477d7f80dba6..2b9a832b29a7 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
| @@ -884,7 +884,7 @@ sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep, | |||
| 884 | { | 884 | { |
| 885 | struct sctp_transport *transport = (struct sctp_transport *) arg; | 885 | struct sctp_transport *transport = (struct sctp_transport *) arg; |
| 886 | 886 | ||
| 887 | if (asoc->overall_error_count > asoc->max_retrans) { | 887 | if (asoc->overall_error_count >= asoc->max_retrans) { |
| 888 | /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ | 888 | /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ |
| 889 | sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, | 889 | sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, |
| 890 | SCTP_U32(SCTP_ERROR_NO_ERROR)); | 890 | SCTP_U32(SCTP_ERROR_NO_ERROR)); |
| @@ -2122,7 +2122,7 @@ static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep, | |||
| 2122 | struct sctp_bind_addr *bp; | 2122 | struct sctp_bind_addr *bp; |
| 2123 | int attempts = asoc->init_err_counter + 1; | 2123 | int attempts = asoc->init_err_counter + 1; |
| 2124 | 2124 | ||
| 2125 | if (attempts >= asoc->max_init_attempts) { | 2125 | if (attempts > asoc->max_init_attempts) { |
| 2126 | sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, | 2126 | sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, |
| 2127 | SCTP_U32(SCTP_ERROR_STALE_COOKIE)); | 2127 | SCTP_U32(SCTP_ERROR_STALE_COOKIE)); |
| 2128 | return SCTP_DISPOSITION_DELETE_TCB; | 2128 | return SCTP_DISPOSITION_DELETE_TCB; |
| @@ -3090,6 +3090,8 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep, | |||
| 3090 | break; | 3090 | break; |
| 3091 | 3091 | ||
| 3092 | ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); | 3092 | ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); |
| 3093 | if (ch_end > skb->tail) | ||
| 3094 | break; | ||
| 3093 | 3095 | ||
| 3094 | if (SCTP_CID_SHUTDOWN_ACK == ch->type) | 3096 | if (SCTP_CID_SHUTDOWN_ACK == ch->type) |
| 3095 | ootb_shut_ack = 1; | 3097 | ootb_shut_ack = 1; |
| @@ -4638,7 +4640,7 @@ sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep, | |||
| 4638 | 4640 | ||
| 4639 | SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); | 4641 | SCTP_DEBUG_PRINTK("Timer T1 expired (INIT).\n"); |
| 4640 | 4642 | ||
| 4641 | if (attempts < asoc->max_init_attempts) { | 4643 | if (attempts <= asoc->max_init_attempts) { |
| 4642 | bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; | 4644 | bp = (struct sctp_bind_addr *) &asoc->base.bind_addr; |
| 4643 | repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); | 4645 | repl = sctp_make_init(asoc, bp, GFP_ATOMIC, 0); |
| 4644 | if (!repl) | 4646 | if (!repl) |
| @@ -4695,7 +4697,7 @@ sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep | |||
| 4695 | 4697 | ||
| 4696 | SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); | 4698 | SCTP_DEBUG_PRINTK("Timer T1 expired (COOKIE-ECHO).\n"); |
| 4697 | 4699 | ||
| 4698 | if (attempts < asoc->max_init_attempts) { | 4700 | if (attempts <= asoc->max_init_attempts) { |
| 4699 | repl = sctp_make_cookie_echo(asoc, NULL); | 4701 | repl = sctp_make_cookie_echo(asoc, NULL); |
| 4700 | if (!repl) | 4702 | if (!repl) |
| 4701 | return SCTP_DISPOSITION_NOMEM; | 4703 | return SCTP_DISPOSITION_NOMEM; |