| From: Xin Long <lucien.xin@gmail.com> |
| Date: Wed, 2 May 2018 13:45:12 +0800 |
| Subject: sctp: fix the issue that the cookie-ack with auth can't get processed |
| |
| commit ce402f044e4e432c296f90eaabb8dbe8f3624391 upstream. |
| |
| When auth is enabled for cookie-ack chunk, in sctp_inq_pop, sctp |
| processes auth chunk first, then continues to the next chunk in |
| this packet if chunk_end + chunk_hdr size < skb_tail_pointer(). |
| Otherwise, it will go to the next packet or discard this chunk. |
| |
| However, it missed the fact that cookie-ack chunk's size is equal |
| to chunk_hdr size, which couldn't match that check, and thus this |
| chunk would not get processed. |
| |
| This patch fixes it by changing the check to chunk_end + chunk_hdr |
| size <= skb_tail_pointer(). |
| |
| Fixes: 26b87c788100 ("net: sctp: fix remote memory pressure from excessive queueing") |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Acked-by: Neil Horman <nhorman@tuxdriver.com> |
| Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| [bwh: Backported to 3.16: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/sctp/inqueue.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/sctp/inqueue.c |
| +++ b/net/sctp/inqueue.c |
| @@ -178,7 +178,7 @@ struct sctp_chunk *sctp_inq_pop(struct s |
| skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); |
| chunk->subh.v = NULL; /* Subheader is no longer valid. */ |
| |
| - if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < |
| + if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <= |
| skb_tail_pointer(chunk->skb)) { |
| /* This is not a singleton */ |
| chunk->singleton = 0; |
