Skip to content

Commit

Permalink
sctp: use init_tag from inithdr for ABORT chunk
Browse files Browse the repository at this point in the history 
[ Upstream commit 4f7019c ]

Currently Linux SCTP uses the verification tag of the existing SCTP
asoc when failing to process and sending the packet with the ABORT
chunk. This will result in the peer accepting the ABORT chunk and
removing the SCTP asoc. One could exploit this to terminate a SCTP
asoc.

This patch is to fix it by always using the initiate tag of the
received INIT chunk for the ABORT chunk to be sent.

Fixes: 1da177e ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
Xin Long authored and Greg Kroah-Hartman committed Nov 2, 2021
1 parent d8b6d0b commit 42ce7a6
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/sctp/sm_statefuns.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6018,6 +6018,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(struct net *net,
* yet.
*/
switch (chunk->chunk_hdr->type) {
case SCTP_CID_INIT:
case SCTP_CID_INIT_ACK:
{
sctp_initack_chunk_t *initack;
Expand Down

0 comments on commit 42ce7a6

Please sign in to comment.