sctp: use init_tag from inithdr for ABORT chunk

[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ] Currently Linux SCTP uses the verification tag of the existing SCTP asoc when failing to process and sending the packet with the ABORT chunk. This will result in the peer accepting the ABORT chunk and removing the SCTP asoc. One could exploit this to terminate a SCTP asoc. This patch is to fix it by always using the initiate tag of the received INIT chunk for the ABORT chunk to be sent. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Xin Long <lucien.xin@gmail.com> 2021-10-20 14:42:41 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-11-02 21:46:14 +0300
commit: 5953ee99bab134d74c805a00eaa20fed33f54255 (patch)
tree: 610d2253878300ed31b626e9580b6449f5d51ef5
parent: 5395650d154c84eb5e0a38bdad2b4dc86e5e9684 (diff)
download: linux-5953ee99bab134d74c805a00eaa20fed33f54255.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 82a202d71a31..962b848459f5 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -6248,6 +6248,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(
 		 * yet.
 		 */
 		switch (chunk->chunk_hdr->type) {
+		case SCTP_CID_INIT:
 		case SCTP_CID_INIT_ACK:
 		{
 			struct sctp_initack_chunk *initack;
author	Xin Long <lucien.xin@gmail.com>	2021-10-20 14:42:41 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-11-02 21:46:14 +0300
commit	5953ee99bab134d74c805a00eaa20fed33f54255 (patch)
tree	610d2253878300ed31b626e9580b6449f5d51ef5
parent	5395650d154c84eb5e0a38bdad2b4dc86e5e9684 (diff)
download	linux-5953ee99bab134d74c805a00eaa20fed33f54255.tar.xz