From 6734582ceec5fefa50f84fc008d9c9487d6d412b Mon Sep 17 00:00:00 2001 From: tuexen Date: Wed, 8 Jul 2020 15:49:30 +0000 Subject: [PATCH] Don't accept FORWARD-TSN chunks when I-FORWARD-TSN was negotiated and vice versa. MFC after: 1 week --- sys/netinet/sctp_input.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index 27d54dd91135..973b52b69461 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -5089,7 +5089,8 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, break; case SCTP_FORWARD_CUM_TSN: case SCTP_IFORWARD_CUM_TSN: - SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD_TSN\n"); + SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n", + ch->chunk_type == SCTP_FORWARD_CUM_TSN ? "FORWARD_TSN" : "I_FORWARD_TSN"); if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { /* Its not ours */ *offset = length; @@ -5102,6 +5103,18 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, if (stcb->asoc.prsctp_supported == 0) { goto unknown_chunk; } + if (((asoc->idata_supported == 1) && (ch->chunk_type == SCTP_FORWARD_CUM_TSN)) || + ((asoc->idata_supported == 0) && (ch->chunk_type == SCTP_IFORWARD_CUM_TSN))) { + if (ch->chunk_type == SCTP_FORWARD_CUM_TSN) { + SCTP_SNPRINTF(msg, sizeof(msg), "%s", "FORWARD-TSN chunk received when I-FORWARD-TSN was negotiated"); + } else { + SCTP_SNPRINTF(msg, sizeof(msg), "%s", "I-FORWARD-TSN chunk received when FORWARD-TSN was negotiated"); + } + op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); + sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); + *offset = length; + return (NULL); + } *fwd_tsn_seen = 1; if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { /* We are not interested anymore */