security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce
The asoc created when receives the INIT chunk is a temporary one, it
will be deleted after INIT_ACK chunk is replied. So for the real asoc
created in sctp_sf_do_5_1D_ce() when the COOKIE_ECHO chunk is received,
security_sctp_assoc_request() should also be called.
v1->v2:
- fix some typo and grammar errors, noticed by Ondrej.
Fixes: 72e89f5008
("security: Add support for SCTP security hooks")
Reported-by: Prashanth Prahlad <pprahlad@redhat.com>
Reviewed-by: Richard Haines <richard_c_haines@btinternet.com>
Tested-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
c081d53f97
commit
e215dab1c4
@ -151,9 +151,9 @@ establishing an association.
|
||||
INIT --------------------------------------------->
|
||||
sctp_sf_do_5_1B_init()
|
||||
Respond to an INIT chunk.
|
||||
SCTP peer endpoint "A" is
|
||||
asking for an association. Call
|
||||
security_sctp_assoc_request()
|
||||
SCTP peer endpoint "A" is asking
|
||||
for a temporary association.
|
||||
Call security_sctp_assoc_request()
|
||||
to set the peer label if first
|
||||
association.
|
||||
If not first association, check
|
||||
@ -163,9 +163,12 @@ establishing an association.
|
||||
| discard the packet.
|
||||
|
|
||||
COOKIE ECHO ------------------------------------------>
|
||||
|
|
||||
|
|
||||
|
|
||||
sctp_sf_do_5_1D_ce()
|
||||
Respond to an COOKIE ECHO chunk.
|
||||
Confirm the cookie and create a
|
||||
permanent association.
|
||||
Call security_sctp_assoc_request() to
|
||||
do the same as for INIT chunk Response.
|
||||
<------------------------------------------- COOKIE ACK
|
||||
| |
|
||||
sctp_sf_do_5_1E_ca |
|
||||
|
@ -781,6 +781,11 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
|
||||
}
|
||||
}
|
||||
|
||||
if (security_sctp_assoc_request(new_asoc, chunk->skb)) {
|
||||
sctp_association_free(new_asoc);
|
||||
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
|
||||
}
|
||||
|
||||
/* Delay state machine commands until later.
|
||||
*
|
||||
* Re-build the bind address for the association is done in
|
||||
|
Loading…
Reference in New Issue
Block a user