| Message ID | 98b2f435ec48fba6c9bbb63908c887f15f67a98d.1619988080.git.lucien.xin@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [net] sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b | expand |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Mon, 3 May 2021 04:41:20 +0800 you wrote: > Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into > ESTABLISHED from the state < ESTABLISHED and decremented when the asoc > is being deleted. > > However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to > ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment > SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB > multiple times but only decrement once at the end. > > [...] Here is the summary with links: - [net] sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b https://git.kernel.org/netdev/net/c/f282df039126 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 5fc3f3a..fd1e319 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1953,7 +1953,8 @@ static enum sctp_disposition sctp_sf_do_dupcook_b( sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, SCTP_STATE(SCTP_STATE_ESTABLISHED)); - SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); + if (asoc->state < SCTP_STATE_ESTABLISHED) + SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); /* Update the content of current association. */
Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into ESTABLISHED from the state < ESTABLISHED and decremented when the asoc is being deleted. However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB multiple times but only decrement once at the end. I was able to reproduce it by using scapy to do the 4-way shakehands, after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field changed to different values, and SCTP_MIB_CURRESTAB was incremented multiple times and never went back to 0 even when the asoc was freed. This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when the state < ESTABLISHED in sctp_sf_do_dupcook_b(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/sctp/sm_statefuns.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)