summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWei Yongjun <yjwei@cn.fujitsu.com>2008-10-23 01:00:21 -0700
committerDavid S. Miller <davem@davemloft.net>2008-10-23 01:00:21 -0700
commitdf10eec476f2045a2ef5f85d97c7b47d992d7f7b (patch)
tree22d7855af143100359be8ef568f85dd3fb1d636b
parent91bd6b1e030266cf87d3f567b49f0fa60a7318ba (diff)
downloadkernel-crypto-df10eec476f2045a2ef5f85d97c7b47d992d7f7b.tar.gz
kernel-crypto-df10eec476f2045a2ef5f85d97c7b47d992d7f7b.tar.xz
kernel-crypto-df10eec476f2045a2ef5f85d97c7b47d992d7f7b.zip
sctp: Add check for the TSN field of the SHUTDOWN chunk
If SHUTDOWN chunk is received Cumulative TSN Ack beyond the max tsn currently send, SHUTDOWN chunk be accepted and the association will be broken. New data is send, but after received SACK it will be drop because TSN in SACK is less than the Cumulative TSN, data will be retrans again and again even if correct SACK is received. The packet sequence is like this: Endpoint A Endpoint B ULP (ESTABLISHED) (ESTABLISHED) <----------- DATA (TSN=x-1) <----------- DATA (TSN=x) SHUTDOWN -----------> (Now Cumulative TSN=x+1000) (TSN=x+1000) <----------- DATA (TSN=x+1) SACK -----------> drop the SACK (TSN=x+1) <----------- DATA (TSN=x+1)(retrans) This patch fix this problem by terminating the association and respond to the sender with an ABORT. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sctp/sm_statefuns.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index d4c3fbc4671..12f62174f4a 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2544,6 +2544,7 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
sctp_shutdownhdr_t *sdh;
sctp_disposition_t disposition;
struct sctp_ulpevent *ev;
+ __u32 ctsn;
if (!sctp_vtag_verify(chunk, asoc))
return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
@@ -2558,6 +2559,14 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
chunk->subh.shutdown_hdr = sdh;
+ ctsn = ntohl(sdh->cum_tsn_ack);
+
+ /* If Cumulative TSN Ack beyond the max tsn currently
+ * send, terminating the association and respond to the
+ * sender with an ABORT.
+ */
+ if (!TSN_lt(ctsn, asoc->next_tsn))
+ return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
/* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
* When a peer sends a SHUTDOWN, SCTP delivers this notification to