diff options
| author |   Marco Varlese <marco.varlese@suse.com> | 2018-02-23 17:43:06 +0100 |
|---|---|---|
| committer |   Florin Coras <florin.coras@gmail.com> | 2018-02-25 19:33:48 +0000 |
| commit | 04e5d64c454ec53103fa1f4b7f3634bb61a65d0f (patch) | |
| tree | eb934071bb2254bea39bca2a9804caa07393b4d9 /src/vnet/sctp/sctp.c | |
| parent | 3473e4938718a820b63edaeab5ae7738c31379d5 (diff) | |
SCTP: fix connection memory corruption
A bug was found when multiple SCTP connections were being opened to the
same SCTP server. This patch addresses that problem, removing the use of
the 'parent' pointer approach for sub-connection and saving instead
within the sub-connection itself the ID representing its position. That
facilitates pointer-arithmetic to be computed in the
get_connection_from_transport().
Change-Id: Iaa1f4efc501590be1c93e42fd6fe3d6e02f635eb
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
Diffstat (limited to 'src/vnet/sctp/sctp.c')
| -rw-r--r-- | src/vnet/sctp/sctp.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/vnet/sctp/sctp.c b/src/vnet/sctp/sctp.c index 4643e8e900a..9a0f47b599f 100644 --- a/src/vnet/sctp/sctp.c +++ b/src/vnet/sctp/sctp.c @@ -27,7 +27,8 @@ sctp_connection_bind (u32 session_index, transport_endpoint_t * tep) pool_get (tm->listener_pool, listener); memset (listener, 0, sizeof (*listener)); - listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = listener; + listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx = + MAIN_SCTP_SUB_CONN_IDX; listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_c_index = listener - tm->listener_pool; listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].connection.lcl_port = tep->port; @@ -273,7 +274,8 @@ sctp_sub_connection_add (u8 thread_index) sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].connection.c_index; sctp_conn->sub_conn[sctp_conn->next_avail_sub_conn]. connection.thread_index = thread_index; - sctp_conn->sub_conn[sctp_conn->next_avail_sub_conn].parent = sctp_conn; + sctp_conn->sub_conn[sctp_conn->next_avail_sub_conn].subconn_idx = + sctp_conn->next_avail_sub_conn; sctp_conn->next_avail_sub_conn += 1; @@ -310,7 +312,8 @@ sctp_connection_new (u8 thread_index) pool_get (sctp_main->connections[thread_index], sctp_conn); memset (sctp_conn, 0, sizeof (*sctp_conn)); - sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = sctp_conn; + sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx = + MAIN_SCTP_SUB_CONN_IDX; sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_c_index = sctp_conn - sctp_main->connections[thread_index]; sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_thread_index = thread_index; @@ -330,7 +333,8 @@ sctp_half_open_connection_new (u8 thread_index) memset (sctp_conn, 0, sizeof (*sctp_conn)); sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_c_index = sctp_conn - tm->half_open_connections; - sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = sctp_conn; + sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx = + MAIN_SCTP_SUB_CONN_IDX; return sctp_conn; } @@ -374,7 +378,7 @@ sctp_connection_open (transport_endpoint_t * rmt) transport_connection_t *trans_conn = &sctp_conn->sub_conn[idx].connection; ip_copy (&trans_conn->rmt_ip, &rmt->ip, rmt->is_ip4); ip_copy (&trans_conn->lcl_ip, &lcl_addr, rmt->is_ip4); - sctp_conn->sub_conn[idx].parent = sctp_conn; + sctp_conn->sub_conn[idx].subconn_idx = idx; trans_conn->rmt_port = rmt->port; trans_conn->lcl_port = clib_host_to_net_u16 (lcl_port); trans_conn->is_ip4 = rmt->is_ip4; |