diff options
| author | Xin Long <lucien.xin@gmail.com> | 2017-04-15 17:00:27 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-04-18 20:39:50 +0300 |
| commit | e4dc99c7c21ba456fd72a70ada5d8d5f3850bcf5 (patch) | |
| tree | 229495a2bb00111e9bc642e29872b05d508e3a84 /crypto/gcm.c | |
| parent | b89f04c61efe3b7756434d693b9203cc0cce002e (diff) | |
| download | linux-e4dc99c7c21ba456fd72a70ada5d8d5f3850bcf5.tar.xz | |
sctp: process duplicated strreset out and addstrm out requests correctly
Now sctp stream reconf will process a request again even if it's seqno is
less than asoc->strreset_inseq.
If one request has been done successfully and some data chunks have been
accepted and then a duplicated strreset out request comes, the streamin's
ssn will be cleared. It will cause that stream will never receive chunks
any more because of unsynchronized ssn. It allows a replay attack.
A similar issue also exists when processing addstrm out requests. It will
cause more extra streams being added.
This patch is to fix it by saving the last 2 results into asoc. When a
duplicated strreset out or addstrm out request is received, reply it with
bad seqno if it's seqno < asoc->strreset_inseq - 2, and reply it with the
result saved in asoc if it's seqno >= asoc->strreset_inseq - 2.
Note that it saves last 2 results instead of only last 1 result, because
two requests can be sent together in one chunk.
And note that when receiving a duplicated request, the receiver side will
still reply it even if the peer has received the response. It's safe, As
the response will be dropped by the peer.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'crypto/gcm.c')
0 files changed, 0 insertions, 0 deletions