| From e8b197c4ddfd1b973a3f558ab537e98a590e3491 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 20 Oct 2021 07:42:41 -0400 |
| Subject: sctp: use init_tag from inithdr for ABORT chunk |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| [ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ] |
| |
| Currently Linux SCTP uses the verification tag of the existing SCTP |
| asoc when failing to process and sending the packet with the ABORT |
| chunk. This will result in the peer accepting the ABORT chunk and |
| removing the SCTP asoc. One could exploit this to terminate a SCTP |
| asoc. |
| |
| This patch is to fix it by always using the initiate tag of the |
| received INIT chunk for the ABORT chunk to be sent. |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/sctp/sm_statefuns.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c |
| index 9045f6bcb34c..c3d293dc8281 100644 |
| --- a/net/sctp/sm_statefuns.c |
| +++ b/net/sctp/sm_statefuns.c |
| @@ -6018,6 +6018,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(struct net *net, |
| * yet. |
| */ |
| switch (chunk->chunk_hdr->type) { |
| + case SCTP_CID_INIT: |
| case SCTP_CID_INIT_ACK: |
| { |
| sctp_initack_chunk_t *initack; |
| -- |
| 2.33.0 |
| |
