From owner-svn-src-all@freebsd.org Mon Aug 15 05:07:04 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B4A8BBA0DA; Mon, 15 Aug 2016 05:07:04 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DA7661911; Mon, 15 Aug 2016 05:07:03 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7F573rF070796; Mon, 15 Aug 2016 05:07:03 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7F573MQ070795; Mon, 15 Aug 2016 05:07:03 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <201608150507.u7F573MQ070795@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Mon, 15 Aug 2016 05:07:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r304110 - releng/11.0/sys/netinet X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2016 05:07:04 -0000 Author: tuexen Date: Mon Aug 15 05:07:02 2016 New Revision: 304110 URL: https://svnweb.freebsd.org/changeset/base/304110 Log: MFC r304082: Improve a consistency check to not detect valid cases for unordered user messages using DATA chunks as invalid ones. While there, ensure that error causes are provided when sending ABORT chunks in case of reassembly problems detected. Thanks to Taylor Brandstetter for making me aware of this problem. Approved by: re (gjb) Modified: releng/11.0/sys/netinet/sctp_indata.c Directory Properties: releng/11.0/ (props changed) Modified: releng/11.0/sys/netinet/sctp_indata.c ============================================================================== --- releng/11.0/sys/netinet/sctp_indata.c Mon Aug 15 05:00:37 2016 (r304109) +++ releng/11.0/sys/netinet/sctp_indata.c Mon Aug 15 05:07:02 2016 (r304110) @@ -1747,21 +1747,27 @@ sctp_process_a_data_chunk(struct sctp_tc * If its a fragmented message, lets see if we can find the control * on the reassembly queues. */ - if ((chtype == SCTP_IDATA) && ((chunk_flags & SCTP_DATA_FIRST_FRAG) == 0) && (fsn == 0)) { + if ((chtype == SCTP_IDATA) && + ((chunk_flags & SCTP_DATA_FIRST_FRAG) == 0) && + (fsn == 0)) { /* * The first *must* be fsn 0, and other (middle/end) pieces - * can *not* be fsn 0. + * can *not* be fsn 0. XXX: This can happen in case of a + * wrap around. Ignore is for now. */ + snprintf(msg, sizeof(msg), "FSN zero for MID=%8.8x, but flags=%2.2x", + msg_id, chunk_flags); goto err_out; } + control = sctp_find_reasm_entry(strm, msg_id, ordered, old_data); + SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n", + chunk_flags, control); if ((chunk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) { /* See if we can find the re-assembly entity */ - control = sctp_find_reasm_entry(strm, msg_id, ordered, old_data); - SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n", - chunk_flags, control); - if (control) { + if (control != NULL) { /* We found something, does it belong? */ if (ordered && (msg_id != control->sinfo_ssn)) { + snprintf(msg, sizeof(msg), "Reassembly problem (MID=%8.8x)", msg_id); err_out: op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_15; @@ -1774,6 +1780,8 @@ sctp_process_a_data_chunk(struct sctp_tc * We can't have a switched order with an * unordered chunk */ + snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)", + tsn); goto err_out; } if (!ordered && (((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) == 0)) { @@ -1781,6 +1789,8 @@ sctp_process_a_data_chunk(struct sctp_tc * We can't have a switched unordered with a * ordered chunk */ + snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)", + tsn); goto err_out; } } @@ -1790,14 +1800,21 @@ sctp_process_a_data_chunk(struct sctp_tc * re-assembly going on with the same Stream/Seq (for * ordered) or in the same Stream for unordered. */ - SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for msg in case we have dup\n", - chunk_flags); - if (sctp_find_reasm_entry(strm, msg_id, ordered, old_data)) { - SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on msg_id: %u\n", - chunk_flags, - msg_id); - - goto err_out; + if (control != NULL) { + if (ordered || (old_data == 0)) { + SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on msg_id: %u\n", + chunk_flags, msg_id); + snprintf(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", msg_id); + goto err_out; + } else { + if ((tsn == control->fsn_included + 1) && + (control->end_added == 0)) { + snprintf(msg, sizeof(msg), "Illegal message sequence, missing end for MID: %8.8x", control->fsn_included); + goto err_out; + } else { + control = NULL; + } + } } } /* now do the tests */