A ootb chunk such as data in close state or init-ack in estab state will
cause SCTP to enter dead loop. Look like this:
(1)
Endpoint A Endpoint B
(Closed) (Closed)
DATA -----------------> Kernel dead loop
(With Length set to zero)
(2)
Endpoint A Endpoint B
(Established) (Established)
INIT-ACK -----------------> Kernel dead loop
(With Length set to zero)
This is beacuse when process chunks, chunk->chunk_end is set to the
chunk->chunk_hdr plus chunk length, if chunk length is set to zero,
chunk->chunk_end will be never changed and process enter dead loop.
Following is the patch.
Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]>
--- a/net/sctp/inqueue.c 2007-08-25 10:53:45.000000000 -0400
+++ b/net/sctp/inqueue.c 2007-08-26 05:45:57.000000000 -0400
@@ -165,10 +165,8 @@ struct sctp_chunk *sctp_inq_pop(struct s
skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
chunk->subh.v = NULL; /* Subheader is no longer valid. */
- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
- /* This is not a singleton */
- chunk->singleton = 0;
- } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
+ if (chunk->chunk_end > skb_tail_pointer(chunk->skb) ||
+ chunk->chunk_end == chunk->chunk_hdr) {
/* RFC 2960, Section 6.10 Bundling
*
* Partial chunks MUST NOT be placed in an SCTP packet.
@@ -183,6 +181,9 @@ struct sctp_chunk *sctp_inq_pop(struct s
chunk = queue->in_progress = NULL;
return NULL;
+ } else if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
+ /* This is not a singleton */
+ chunk->singleton = 0;
} else {
/* We are at the end of the packet, so mark the chunk
* in case we need to send a SACK.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
