[SCTP]: Fix protocol violation when receiving an error lenght INIT-ACK

When receiving an error length INIT-ACK during COOKIE-WAIT,
a 0-vtag ABORT will be responsed. This action violates the
protocol apparently. This patch achieves the following things.
1 If the INIT-ACK contains all the fixed parameters, use init-tag
  recorded from INIT-ACK as vtag.
2 If the INIT-ACK doesn't contain all the fixed parameters,
  just reflect its vtag.

Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/sctp/command.h b/include/net/sctp/command.h
index 10ae2da6f93bec65b2659b368b1b3a9081b5f9ca..35b1e83fb96a3010c2b6adf580250a0bd7388588 100644 (file)
--- a/include/net/sctp/command.h
+++ b/include/net/sctp/command.h
@@ -104,6 +104,7 @@ typedef enum {
        SCTP_CMD_ADAPTATION_IND, /* generate and send adaptation event */
        SCTP_CMD_ASSOC_SHKEY,    /* generate the association shared keys */
        SCTP_CMD_T1_RETRAN,      /* Mark for retransmission after T1 timeout  */
+       SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */
        SCTP_CMD_LAST
 } sctp_verb_t;
 

diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 1bb3c5c35d2ab5fc78f252d2edc9e1f2c70b6dab..c0714469233c120b974991f6d5f13afb96884e85 100644 (file)
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -793,6 +793,9 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
                        break;
 
                case SCTP_CID_ABORT:
+                       if (sctp_test_T_bit(chunk)) {
+                               packet->vtag = asoc->c.my_vtag;
+                       }
                case SCTP_CID_SACK:
                case SCTP_CID_HEARTBEAT:
                case SCTP_CID_HEARTBEAT_ACK:

diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 28eb38eb60833a7e339f2eed56ef47c8545f1985..a4763fd24fd84ab09cd292ad49e04f161d948093 100644 (file)
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1536,6 +1536,9 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                        error = sctp_auth_asoc_init_active_key(asoc,
                                                GFP_ATOMIC);
                        break;
+               case SCTP_CMD_UPDATE_INITTAG:
+                       asoc->peer.i.init_tag = cmd->obj.u32;
+                       break;
 
                default:
                        printk(KERN_WARNING "Impossible command: %u, %p\n",

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index f2ed6473feef5e60da676c2e36ae412220c0c52b..3ef97499df0ddb1631098b505efb2de2775dca23 100644 (file)
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4144,6 +4144,24 @@ static sctp_disposition_t sctp_sf_abort_violation(
                goto nomem;
 
        if (asoc) {
+               /* Treat INIT-ACK as a special case during COOKIE-WAIT. */
+               if (chunk->chunk_hdr->type == SCTP_CID_INIT_ACK &&
+                   !asoc->peer.i.init_tag) {
+                       sctp_initack_chunk_t *initack;
+
+                       initack = (sctp_initack_chunk_t *)chunk->chunk_hdr;
+                       if (!sctp_chunk_length_valid(chunk,
+                                                    sizeof(sctp_initack_chunk_t)))
+                               abort->chunk_hdr->flags |= SCTP_CHUNK_FLAG_T;
+                       else {
+                               unsigned int inittag;
+
+                               inittag = ntohl(initack->init_hdr.init_tag);
+                               sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_INITTAG,
+                                               SCTP_U32(inittag));
+                       }
+               }
+
                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);