Re: [Lksctp-developers] SCTP: Fix dead loop while received unexpected chunk with length set to zero

Tue, 28 Aug 2007 09:01:14 -0700 

Wei Yongjun wrote:
> A ootb chunk such as data in close state or init-ack in estab state will 
> cause SCTP to enter dead loop. Look like this:
> 
> (1)
>   Endpoint A                      Endpoint B
>   (Closed)                        (Closed)
> 
>   DATA      ----------------->   Kernel dead loop
>   (With Length set to zero)
> 
> (2)
>   Endpoint A                      Endpoint B
>   (Established)                   (Established)
> 
>   INIT-ACK   ----------------->   Kernel dead loop
>   (With Length set to zero)
> 
> 
> This is beacuse when process chunks, chunk->chunk_end is set to the 
> chunk->chunk_hdr plus chunk length, if chunk length is set to zero, 
> chunk->chunk_end will be never changed and process enter dead loop.
> Following is the patch.

NACK

Section 8.4:

   An SCTP packet is called an "out of the blue" (OOTB) packet if it is
   correctly formed (i.e., passed the receiver's CRC32c check; see
   Section 6.8), but the receiver is not able to identify the
   association to which this packet belongs.


I would argue that the packet is not correctly formed in this case
and deserves a protocol violation ABORT in return.

-vlad

> 
> Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]>
> 
> --- a/net/sctp/inqueue.c      2007-08-25 10:53:45.000000000 -0400
> +++ b/net/sctp/inqueue.c      2007-08-26 05:45:57.000000000 -0400
> @@ -165,10 +165,8 @@ struct sctp_chunk *sctp_inq_pop(struct s
>       skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
>       chunk->subh.v = NULL; /* Subheader is no longer valid.  */
>  
> -     if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
> -             /* This is not a singleton */
> -             chunk->singleton = 0;
> -     } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
> +     if (chunk->chunk_end > skb_tail_pointer(chunk->skb) ||
> +         chunk->chunk_end == chunk->chunk_hdr) {
>               /* RFC 2960, Section 6.10  Bundling
>                *
>                * Partial chunks MUST NOT be placed in an SCTP packet.
> @@ -183,6 +181,9 @@ struct sctp_chunk *sctp_inq_pop(struct s
>               chunk = queue->in_progress = NULL;
>  
>               return NULL;
> +     } else if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
> +             /* This is not a singleton */
> +             chunk->singleton = 0;
>       } else {
>               /* We are at the end of the packet, so mark the chunk
>                * in case we need to send a SACK.
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Lksctp-developers mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/lksctp-developers
> 

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to