summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin Long <lucien.xin@gmail.com>2021-10-20 07:42:41 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-11-02 17:38:12 +0100
commit629d2823abf957bcbcba32154f1f6fd49bdb850c (patch)
tree0d979e24a524cda5f336530ef45c99365e1d1b4b
parentd4ba730c0dcaa5f5baf27fd6d635719cc2134b4f (diff)
downloadlinux-stable-629d2823abf957bcbcba32154f1f6fd49bdb850c.tar.gz
linux-stable-629d2823abf957bcbcba32154f1f6fd49bdb850c.tar.bz2
linux-stable-629d2823abf957bcbcba32154f1f6fd49bdb850c.zip
sctp: use init_tag from inithdr for ABORT chunk
[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ] Currently Linux SCTP uses the verification tag of the existing SCTP asoc when failing to process and sending the packet with the ABORT chunk. This will result in the peer accepting the ABORT chunk and removing the SCTP asoc. One could exploit this to terminate a SCTP asoc. This patch is to fix it by always using the initiate tag of the received INIT chunk for the ABORT chunk to be sent. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--net/sctp/sm_statefuns.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a9ba6f2bb8c8..b83f90bb1a6e 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -6027,6 +6027,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
* yet.
*/
switch (chunk->chunk_hdr->type) {
+ case SCTP_CID_INIT:
case SCTP_CID_INIT_ACK:
{
sctp_initack_chunk_t *initack;