git: a3665770d7d8 - main - sctp: improve handling of illegal parameters of INIT-ACK chunks
Michael Tuexen
tuexen at FreeBSD.org
Fri Aug 20 12:11:40 UTC 2021
The branch main has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=a3665770d7d85e990f7703170a27f8e2d3e455b5
commit a3665770d7d85e990f7703170a27f8e2d3e455b5
Author: Michael Tuexen <tuexen at FreeBSD.org>
AuthorDate: 2021-08-20 12:03:49 +0000
Commit: Michael Tuexen <tuexen at FreeBSD.org>
CommitDate: 2021-08-20 12:06:41 +0000
sctp: improve handling of illegal parameters of INIT-ACK chunks
MFC after: 3 days
---
sys/netinet/sctp_input.c | 69 ++++++++++++++++++------------------------------
1 file changed, 26 insertions(+), 43 deletions(-)
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 66ec2d6a577a..f579d10333fb 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1244,26 +1244,23 @@ sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
"sctp_handle_init_ack: TCB is null\n");
return (-1);
}
- init_ack = &cp->init;
- /* Validate parameters. */
- if ((ntohl(init_ack->initiate_tag) == 0) ||
- (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) ||
- (ntohs(init_ack->num_inbound_streams) == 0) ||
- (ntohs(init_ack->num_outbound_streams) == 0)) {
- /* protocol error... send an abort */
- op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
- sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
- src, dst, sh, op_err,
- mflowtype, mflowid,
- vrf_id, net->port);
- *abort_no_unlock = 1;
- return (-1);
- }
- /* process according to association state... */
- switch (SCTP_GET_STATE(stcb)) {
- case SCTP_STATE_COOKIE_WAIT:
- /* this is the expected state for this chunk */
- /* process the INIT-ACK parameters */
+ /* Only process the INIT-ACK chunk in COOKIE WAIT state. */
+ if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) {
+ init_ack = &cp->init;
+ /* Validate parameters. */
+ if ((ntohl(init_ack->initiate_tag) == 0) ||
+ (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) ||
+ (ntohs(init_ack->num_inbound_streams) == 0) ||
+ (ntohs(init_ack->num_outbound_streams) == 0)) {
+ /* One of the mandatory parameters is illegal. */
+ op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
+ sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
+ src, dst, sh, op_err,
+ mflowtype, mflowid,
+ vrf_id, net->port);
+ *abort_no_unlock = 1;
+ return (-1);
+ }
if (stcb->asoc.primary_destination->dest_state &
SCTP_ADDR_UNCONFIRMED) {
/*
@@ -1284,11 +1281,11 @@ sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
/* error in parsing parameters */
return (-1);
}
- /* update our state */
+ /* Update our state. */
SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_ECHOED);
- /* reset the RTO calc */
+ /* Reset the RTO calculation. */
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
stcb->asoc.overall_error_count,
@@ -1299,34 +1296,20 @@ sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
stcb->asoc.overall_error_count = 0;
(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
/*
- * collapse the init timer back in case of a exponential
- * backoff
+ * Collapse the init timer back in case of a exponential
+ * backoff.
*/
sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
stcb, net);
/*
- * the send at the end of the inbound data processing will
- * cause the cookie to be sent
+ * The output routine at the end of the inbound data
+ * processing will cause the cookie to be sent.
*/
- break;
- case SCTP_STATE_SHUTDOWN_SENT:
- /* incorrect state... discard */
- break;
- case SCTP_STATE_COOKIE_ECHOED:
- /* incorrect state... discard */
- break;
- case SCTP_STATE_OPEN:
- /* incorrect state... discard */
- break;
- case SCTP_STATE_EMPTY:
- case SCTP_STATE_INUSE:
- default:
- /* incorrect state... discard */
+ SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
+ return (0);
+ } else {
return (-1);
- break;
}
- SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
- return (0);
}
static struct sctp_tcb *
More information about the dev-commits-src-main
mailing list