lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 7 Jun 2013 18:39:34 +0800
From:	Xufeng Zhang <xufeng.zhang@...driver.com>
To:	<davem@...emloft.net>
CC:	<linux-kernel@...r.kernel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH] sctp: set association state to established in dupcook_a
 handler

Hi David,

Is this fix fine to you for -stable?


Thanks,
Xufeng

On 06/05/2013 10:55 AM, Xufeng Zhang wrote:
> On 06/03/2013 03:52 PM, Xufeng Zhang wrote:
>> 3.4-stable review patch.  If anyone has any objections, please let me 
>> know.
> Sorry Greg, David -- I did not fully understand all the details
> of the stable kernel process earlier.
>
> I have since checked the networking stable queue here:
>
> http://patchwork.ozlabs.org/bundle/davem/stable/?state=*
>
> to confirm this upstream commit 9839ff0d has not yet been queued.
>
> It can be applied to kernel versions<3.0, 3.4>, and is
> present in mainline for 3.8+ kernels.
>
> I think it makes sense to queue for stable because it
> fixes the SCTP association can get stuck in SCTP_STATE_SHUTDOWN_PENDING
> state forever in the below test case:
> 1). Set SCTP parameters on A (slow detection of link failure):
> net.sctp.association_max_retrans = 5
> net.sctp.path_max_retrans = 5
> net.sctp.hb_interval = 30000
> 2). Set SCTP parameters on B (fast detection of link failure):
> net.sctp.association_max_retrans = 2
> net.sctp.path_max_retrans = 2
> net.sctp.hb_interval = 1000
> 3). Start sctp_darn on both sides:
> A(interactive):
> sctp_darn -H 192.168.100.10 -P 256 -h 192.168.100.100 -p 256 -I -s
> B:
> sctp_darn -H 192.168.100.100 -P 256 -h 192.168.100.10 -p 256 -l&
> 4). Send data on A to establish the SCTP association:
> snd=5
> 5). Block SCTP traffic on B (simulates a network failure):
> iptables -t filter -I INPUT 1 -p sctp --dport 256 -j DROP
> iptables -t filter -I OUTPUT 1 -p sctp --dport 256 -j DROP
> Then quickly send data on A and then shutdown (A goes into 
> SHUTDOWN_PENDING state):
> snd=5
> snd=5
> shutdown
> 6). Wait for link to drop on B (Recieved SCTP_COMM_LOST), and quickly 
> kill the listener,
> open the firewall for SCTP, then start an SCTP sender:
> kill $PID
> iptables -t filter -D INPUT 1
> iptables -t filter -D OUTPUT 1
> sctp_darn -H 192.168.100.100 -P 256 -h 192.168.100.10 -p 256 -s
> Press<Enter>  to send data to trigger sending INIT to A, the SHUTDOWN 
> on A will failed and
> the association on A remains in SHUTDOWN_PENDING (5) state indefinitely.
>
>
> However if David doesn't think it is worth bothering with for
> net stable, then that is of course fine too.
>
>
> Thanks,
> Xufeng
>
>
>
>> ------------------
>>
>>
>> From: Xufeng Zhang<xufeng.zhang@...driver.com>
>>
>> [ Upstream commit 9839ff0dead906e85e4d17490aeff87a5859a157 ]
>>
>> While sctp handling a duplicate COOKIE-ECHO and the action is
>> 'Association restart', sctp_sf_do_dupcook_a() will processing
>> the unexpected COOKIE-ECHO for peer restart, but it does not set
>> the association state to SCTP_STATE_ESTABLISHED, so the association
>> could stuck in SCTP_STATE_SHUTDOWN_PENDING state forever.
>> This violates the sctp specification:
>>    RFC 4960 5.2.4. Handle a COOKIE ECHO when a TCB Exists
>>    Action
>>    A) In this case, the peer may have restarted. .....
>>       After this, the endpoint shall enter the ESTABLISHED state.
>>
>> To resolve this problem, adding a SCTP_CMD_NEW_STATE cmd to the
>> command list before SCTP_CMD_REPLY cmd, this will set the restart
>> association to SCTP_STATE_ESTABLISHED state properly and also avoid
>> I-bit being set in the DATA chunk header when COOKIE_ACK is bundled
>> with DATA chunks.
>>
>> Signed-off-by: Xufeng Zhang<xufeng.zhang@...driver.com>
>> Acked-by: Neil Horman<nhorman@...driver.com>
>> Acked-by: Vlad Yasevich<vyasevich@...il.com>
>> Signed-off-by: David S. Miller<davem@...emloft.net>
>> ---
>>   net/sctp/sm_statefuns.c |    4 +++-
>>   1 files changed, 3 insertions(+), 1 deletions(-)
>>
>> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
>> index cb1c430..ab08f65 100644
>> --- a/net/sctp/sm_statefuns.c
>> +++ b/net/sctp/sm_statefuns.c
>> @@ -1747,8 +1747,10 @@ static sctp_disposition_t 
>> sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
>>
>>       /* Update the content of current association. */
>>       sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, 
>> SCTP_ASOC(new_asoc));
>> -    sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
>>       sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
>> +    sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
>> +            SCTP_STATE(SCTP_STATE_ESTABLISHED));
>> +    sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
>>       return SCTP_DISPOSITION_CONSUME;
>>
>>   nomem_ev:
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ