Commit 7115e632 authored by Wei Yongjun's avatar Wei Yongjun Committed by David S. Miller

sctp: Validate Initiate Tag when handling ICMP message

This patch add to validate initiate tag and chunk type if verification
tag is 0 when handling ICMP message.

RFC 4960, Appendix C. ICMP Handling

ICMP6) An implementation MUST validate that the Verification Tag
contained in the ICMP message matches the Verification Tag of the peer.
If the Verification Tag is not 0 and does NOT match, discard the ICMP
message.  If it is 0 and the ICMP message contains enough bytes to
verify that the chunk type is an INIT chunk and that the Initiate Tag
matches the tag of the peer, continue with ICMP7.  If the ICMP message
is too short or the chunk type or the Initiate Tag does not match,
silently discard the packet.
Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0344f1c6
...@@ -430,6 +430,9 @@ struct sock *sctp_err_lookup(int family, struct sk_buff *skb, ...@@ -430,6 +430,9 @@ struct sock *sctp_err_lookup(int family, struct sk_buff *skb,
struct sock *sk = NULL; struct sock *sk = NULL;
struct sctp_association *asoc; struct sctp_association *asoc;
struct sctp_transport *transport = NULL; struct sctp_transport *transport = NULL;
struct sctp_init_chunk *chunkhdr;
__u32 vtag = ntohl(sctphdr->vtag);
int len = skb->len - ((void *)sctphdr - (void *)skb->data);
*app = NULL; *tpp = NULL; *app = NULL; *tpp = NULL;
...@@ -451,8 +454,28 @@ struct sock *sctp_err_lookup(int family, struct sk_buff *skb, ...@@ -451,8 +454,28 @@ struct sock *sctp_err_lookup(int family, struct sk_buff *skb,
sk = asoc->base.sk; sk = asoc->base.sk;
if (ntohl(sctphdr->vtag) != asoc->c.peer_vtag) { /* RFC 4960, Appendix C. ICMP Handling
ICMP_INC_STATS_BH(ICMP_MIB_INERRORS); *
* ICMP6) An implementation MUST validate that the Verification Tag
* contained in the ICMP message matches the Verification Tag of
* the peer. If the Verification Tag is not 0 and does NOT
* match, discard the ICMP message. If it is 0 and the ICMP
* message contains enough bytes to verify that the chunk type is
* an INIT chunk and that the Initiate Tag matches the tag of the
* peer, continue with ICMP7. If the ICMP message is too short
* or the chunk type or the Initiate Tag does not match, silently
* discard the packet.
*/
if (vtag == 0) {
chunkhdr = (struct sctp_init_chunk *)((void *)sctphdr
+ sizeof(struct sctphdr));
if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t)
+ sizeof(__be32) ||
chunkhdr->chunk_hdr.type != SCTP_CID_INIT ||
ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) {
goto out;
}
} else if (vtag != asoc->c.peer_vtag) {
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment