Skip to content

Commit df10eec

Browse files
Wei Yongjundavem330
Wei Yongjun
authored and
davem330
committed
sctp: Add check for the TSN field of the SHUTDOWN chunk
If SHUTDOWN chunk is received Cumulative TSN Ack beyond the max tsn currently send, SHUTDOWN chunk be accepted and the association will be broken. New data is send, but after received SACK it will be drop because TSN in SACK is less than the Cumulative TSN, data will be retrans again and again even if correct SACK is received. The packet sequence is like this: Endpoint A Endpoint B ULP (ESTABLISHED) (ESTABLISHED) <----------- DATA (TSN=x-1) <----------- DATA (TSN=x) SHUTDOWN -----------> (Now Cumulative TSN=x+1000) (TSN=x+1000) <----------- DATA (TSN=x+1) SACK -----------> drop the SACK (TSN=x+1) <----------- DATA (TSN=x+1)(retrans) This patch fix this problem by terminating the association and respond to the sender with an ABORT. Signed-off-by: Wei Yongjun <[email protected]> Signed-off-by: Vlad Yasevich <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 91bd6b1 commit df10eec

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

net/sctp/sm_statefuns.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2544,6 +2544,7 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
25442544
sctp_shutdownhdr_t *sdh;
25452545
sctp_disposition_t disposition;
25462546
struct sctp_ulpevent *ev;
2547+
__u32 ctsn;
25472548

25482549
if (!sctp_vtag_verify(chunk, asoc))
25492550
return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
@@ -2558,6 +2559,14 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown(const struct sctp_endpoint *ep,
25582559
sdh = (sctp_shutdownhdr_t *)chunk->skb->data;
25592560
skb_pull(chunk->skb, sizeof(sctp_shutdownhdr_t));
25602561
chunk->subh.shutdown_hdr = sdh;
2562+
ctsn = ntohl(sdh->cum_tsn_ack);
2563+
2564+
/* If Cumulative TSN Ack beyond the max tsn currently
2565+
* send, terminating the association and respond to the
2566+
* sender with an ABORT.
2567+
*/
2568+
if (!TSN_lt(ctsn, asoc->next_tsn))
2569+
return sctp_sf_violation_ctsn(ep, asoc, type, arg, commands);
25612570

25622571
/* API 5.3.1.5 SCTP_SHUTDOWN_EVENT
25632572
* When a peer sends a SHUTDOWN, SCTP delivers this notification to

0 commit comments

Comments
 (0)