diff options
| author |   Marco Varlese <marco.varlese@suse.com> | 2018-02-23 17:43:06 +0100 |
|---|---|---|
| committer |   Florin Coras <florin.coras@gmail.com> | 2018-02-25 19:33:48 +0000 |
| commit | 04e5d64c454ec53103fa1f4b7f3634bb61a65d0f (patch) | |
| tree | eb934071bb2254bea39bca2a9804caa07393b4d9 /src/vnet/sctp/sctp_input.c | |
| parent | 3473e4938718a820b63edaeab5ae7738c31379d5 (diff) | |
SCTP: fix connection memory corruption
A bug was found when multiple SCTP connections were being opened to the
same SCTP server. This patch addresses that problem, removing the use of
the 'parent' pointer approach for sub-connection and saving instead
within the sub-connection itself the ID representing its position. That
facilitates pointer-arithmetic to be computed in the
get_connection_from_transport().
Change-Id: Iaa1f4efc501590be1c93e42fd6fe3d6e02f635eb
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
Diffstat (limited to 'src/vnet/sctp/sctp_input.c')
| -rw-r--r-- | src/vnet/sctp/sctp_input.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/vnet/sctp/sctp_input.c b/src/vnet/sctp/sctp_input.c index d3e69c68ba0..615cdefd134 100644 --- a/src/vnet/sctp/sctp_input.c +++ b/src/vnet/sctp/sctp_input.c @@ -909,7 +909,7 @@ sctp46_rcv_phase_inline (vlib_main_t * vm, vlib_node_runtime_t * node, idx = sctp_sub_conn_id_via_ip6h (sctp_conn, ip6_hdr); } - sctp_conn->sub_conn[idx].parent = sctp_conn; + sctp_conn->sub_conn[idx].subconn_idx = idx; sctp_full_hdr_t *full_hdr = (sctp_full_hdr_t *) sctp_hdr; sctp_chunk_hdr = @@ -938,7 +938,7 @@ sctp46_rcv_phase_inline (vlib_main_t * vm, vlib_node_runtime_t * node, my_thread_index; new_sctp_conn->sub_conn[idx].PMTU = sctp_conn->sub_conn[idx].PMTU; - new_sctp_conn->sub_conn[idx].parent = new_sctp_conn; + new_sctp_conn->sub_conn[idx].subconn_idx = idx; if (sctp_half_open_connection_cleanup (sctp_conn)) { @@ -1563,7 +1563,8 @@ sctp46_listen_process_inline (vlib_main_t * vm, /* Create child session and send SYN-ACK */ child_conn = sctp_connection_new (my_thread_index); - child_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = child_conn; + child_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx = + MAIN_SCTP_SUB_CONN_IDX; child_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_lcl_port = sctp_hdr->dst_port; child_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_rmt_port = @@ -1748,7 +1749,7 @@ sctp46_established_phase_inline (vlib_main_t * vm, vlib_node_runtime_t * node, idx = sctp_sub_conn_id_via_ip6h (sctp_conn, ip6_hdr); } - sctp_conn->sub_conn[idx].parent = sctp_conn; + sctp_conn->sub_conn[idx].subconn_idx = idx; sctp_full_hdr_t *full_hdr = (sctp_full_hdr_t *) sctp_hdr; sctp_chunk_hdr = |