shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-11 05:17:10 +09:00
Code Issues Packages Projects Releases Wiki Activity

netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE

Browse Source 
[ Upstream commit a9993591fa ]

RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk
MUST be accepted if the vtag of the packet matches its own tag and the
T bit is not set OR if it is set to its peer's vtag and the T bit is set
in chunk flags. Otherwise the packet MUST be silently dropped.

Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above
description.

Fixes: 9fb9cbb108 ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Sriram Yagnaraman
2023-01-24 02:47:18 +01:00
committed by Greg Kroah-Hartman
parent 7f9828fb1f
commit 498584ccf4
1 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
net/netfilter/nf_conntrack_proto_sctp.c
View File

@@ -412,22 +412,29 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
/* Special cases of Verification tag check (Sec 8.5.1) */ /* Special cases of Verification tag check (Sec 8.5.1) */
if (sch->type == SCTP_CID_INIT) { if (sch->type == SCTP_CID_INIT) {
/* Sec 8.5.1 (A) */ /* (A) vtag MUST be zero */
if (sh->vtag != 0) if (sh->vtag != 0)
goto out_unlock; goto out_unlock;
} else if (sch->type == SCTP_CID_ABORT) { } else if (sch->type == SCTP_CID_ABORT) {
/* Sec 8.5.1 (B) */ /* (B) vtag MUST match own vtag if T flag is unset OR
if (sh->vtag != ct->proto.sctp.vtag[dir] && * MUST match peer's vtag if T flag is set
sh->vtag != ct->proto.sctp.vtag[!dir]) */
if ((!(sch->flags & SCTP_CHUNK_FLAG_T) &&
sh->vtag != ct->proto.sctp.vtag[dir]) ||
((sch->flags & SCTP_CHUNK_FLAG_T) &&
sh->vtag != ct->proto.sctp.vtag[!dir]))
goto out_unlock; goto out_unlock;
} else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
/* Sec 8.5.1 (C) */ /* (C) vtag MUST match own vtag if T flag is unset OR
if (sh->vtag != ct->proto.sctp.vtag[dir] && * MUST match peer's vtag if T flag is set
sh->vtag != ct->proto.sctp.vtag[!dir] && */
sch->flags & SCTP_CHUNK_FLAG_T) if ((!(sch->flags & SCTP_CHUNK_FLAG_T) &&
sh->vtag != ct->proto.sctp.vtag[dir]) ||
((sch->flags & SCTP_CHUNK_FLAG_T) &&
sh->vtag != ct->proto.sctp.vtag[!dir]))
goto out_unlock; goto out_unlock;
} else if (sch->type == SCTP_CID_COOKIE_ECHO) { } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
/* Sec 8.5.1 (D) */ /* (D) vtag must be same as init_vtag as found in INIT_ACK */
if (sh->vtag != ct->proto.sctp.vtag[dir]) if (sh->vtag != ct->proto.sctp.vtag[dir])
goto out_unlock; goto out_unlock;
} else if (sch->type == SCTP_CID_HEARTBEAT) { } else if (sch->type == SCTP_CID_HEARTBEAT) {