| From 8ff3f13dc07f566051a296f2ed9d50ddfac8c4d0 Mon Sep 17 00:00:00 2001 |
| From: Jiri Wiesner <jwiesner@suse.com> |
| Date: Sat, 18 Jan 2020 13:10:50 +0100 |
| Subject: [PATCH] netfilter: conntrack: sctp: use distinct states for new SCTP |
| connections |
| |
| commit ab658b9fa7a2c467f79eac8b53ea308b8f98113d upstream. |
| |
| The netlink notifications triggered by the INIT and INIT_ACK chunks |
| for a tracked SCTP association do not include protocol information |
| for the corresponding connection - SCTP state and verification tags |
| for the original and reply direction are missing. Since the connection |
| tracking implementation allows user space programs to receive |
| notifications about a connection and then create a new connection |
| based on the values received in a notification, it makes sense that |
| INIT and INIT_ACK notifications should contain the SCTP state |
| and verification tags available at the time when a notification |
| is sent. The missing verification tags cause a newly created |
| netfilter connection to fail to verify the tags of SCTP packets |
| when this connection has been created from the values previously |
| received in an INIT or INIT_ACK notification. |
| |
| A PROTOINFO event is cached in sctp_packet() when the state |
| of a connection changes. The CLOSED and COOKIE_WAIT state will |
| be used for connections that have seen an INIT and INIT_ACK chunk, |
| respectively. The distinct states will cause a connection state |
| change in sctp_packet(). |
| |
| Signed-off-by: Jiri Wiesner <jwiesner@suse.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c |
| index d4e927c1b943..8ddcd5100638 100644 |
| --- a/net/netfilter/nf_conntrack_proto_sctp.c |
| +++ b/net/netfilter/nf_conntrack_proto_sctp.c |
| @@ -114,7 +114,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { |
| { |
| /* ORIGINAL */ |
| /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ |
| -/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, |
| +/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA}, |
| /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA}, |
| /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, |
| /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS}, |
| @@ -130,7 +130,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { |
| /* REPLY */ |
| /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */ |
| /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */ |
| -/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, |
| +/* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA}, |
| /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL}, |
| /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR}, |
| /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA}, |
| @@ -316,7 +316,7 @@ sctp_new(struct nf_conn *ct, const struct sk_buff *skb, |
| ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; |
| } |
| |
| - ct->proto.sctp.state = new_state; |
| + ct->proto.sctp.state = SCTP_CONNTRACK_NONE; |
| } |
| |
| return true; |
| -- |
| 2.7.4 |
| |
