]>
Commit | Line | Data |
---|---|---|
d55578af GKH |
1 | From foo@baz Wed May 16 12:08:47 CEST 2018 |
2 | From: Xin Long <lucien.xin@gmail.com> | |
3 | Date: Wed, 2 May 2018 13:45:12 +0800 | |
4 | Subject: sctp: fix the issue that the cookie-ack with auth can't get processed | |
5 | ||
6 | From: Xin Long <lucien.xin@gmail.com> | |
7 | ||
8 | [ Upstream commit ce402f044e4e432c296f90eaabb8dbe8f3624391 ] | |
9 | ||
10 | When auth is enabled for cookie-ack chunk, in sctp_inq_pop, sctp | |
11 | processes auth chunk first, then continues to the next chunk in | |
12 | this packet if chunk_end + chunk_hdr size < skb_tail_pointer(). | |
13 | Otherwise, it will go to the next packet or discard this chunk. | |
14 | ||
15 | However, it missed the fact that cookie-ack chunk's size is equal | |
16 | to chunk_hdr size, which couldn't match that check, and thus this | |
17 | chunk would not get processed. | |
18 | ||
19 | This patch fixes it by changing the check to chunk_end + chunk_hdr | |
20 | size <= skb_tail_pointer(). | |
21 | ||
22 | Fixes: 26b87c788100 ("net: sctp: fix remote memory pressure from excessive queueing") | |
23 | Signed-off-by: Xin Long <lucien.xin@gmail.com> | |
24 | Acked-by: Neil Horman <nhorman@tuxdriver.com> | |
25 | Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | |
26 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
27 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
28 | --- | |
29 | net/sctp/inqueue.c | 2 +- | |
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
31 | ||
32 | --- a/net/sctp/inqueue.c | |
33 | +++ b/net/sctp/inqueue.c | |
34 | @@ -178,7 +178,7 @@ struct sctp_chunk *sctp_inq_pop(struct s | |
35 | skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); | |
36 | chunk->subh.v = NULL; /* Subheader is no longer valid. */ | |
37 | ||
38 | - if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < | |
39 | + if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <= | |
40 | skb_tail_pointer(chunk->skb)) { | |
41 | /* This is not a singleton */ | |
42 | chunk->singleton = 0; |