Commit 73d9c4fd1a6ec4950b2eac8135d35506bf400d6c
1 parent
88799fe5ec
SCTP: Allow ADD_IP to work with AUTH for backward compatibility.
This patch adds a tunable that will allow ADD_IP to work without AUTH for backward compatibility. The default value is off since the default value for ADD_IP is off as well. People who need to use ADD-IP with older implementations take risks of connection hijacking and should consider upgrading or turning this tunable on. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Showing 5 changed files with 21 additions and 3 deletions Side-by-side Diff
include/net/sctp/structs.h
... | ... | @@ -212,6 +212,7 @@ |
212 | 212 | |
213 | 213 | /* Flag to indicate if addip is enabled. */ |
214 | 214 | int addip_enable; |
215 | + int addip_noauth_enable; | |
215 | 216 | |
216 | 217 | /* Flag to indicate if PR-SCTP is enabled. */ |
217 | 218 | int prsctp_enable; |
... | ... | @@ -249,6 +250,7 @@ |
249 | 250 | #define sctp_local_addr_list (sctp_globals.local_addr_list) |
250 | 251 | #define sctp_local_addr_lock (sctp_globals.addr_list_lock) |
251 | 252 | #define sctp_addip_enable (sctp_globals.addip_enable) |
253 | +#define sctp_addip_noauth (sctp_globals.addip_noauth_enable) | |
252 | 254 | #define sctp_prsctp_enable (sctp_globals.prsctp_enable) |
253 | 255 | #define sctp_auth_enable (sctp_globals.auth_enable) |
254 | 256 |
net/sctp/associola.c
... | ... | @@ -262,10 +262,14 @@ |
262 | 262 | */ |
263 | 263 | asoc->peer.sack_needed = 1; |
264 | 264 | |
265 | - /* Assume that the peer recongizes ASCONF until reported otherwise | |
266 | - * via an ERROR chunk. | |
265 | + /* Assume that the peer will tell us if he recognizes ASCONF | |
266 | + * as part of INIT exchange. | |
267 | + * The sctp_addip_noauth option is there for backward compatibilty | |
268 | + * and will revert old behavior. | |
267 | 269 | */ |
268 | 270 | asoc->peer.asconf_capable = 0; |
271 | + if (sctp_addip_noauth) | |
272 | + asoc->peer.asconf_capable = 1; | |
269 | 273 | |
270 | 274 | /* Create an input queue. */ |
271 | 275 | sctp_inq_init(&asoc->base.inqueue); |
net/sctp/protocol.c
net/sctp/sm_make_chunk.c
... | ... | @@ -2137,8 +2137,10 @@ |
2137 | 2137 | |
2138 | 2138 | /* If the peer claims support for ADD-IP without support |
2139 | 2139 | * for AUTH, disable support for ADD-IP. |
2140 | + * Do this only if backward compatible mode is turned off. | |
2140 | 2141 | */ |
2141 | - if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) { | |
2142 | + if (!sctp_addip_noauth && | |
2143 | + (asoc->peer.asconf_capable && !asoc->peer.auth_capable)) { | |
2142 | 2144 | asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP | |
2143 | 2145 | SCTP_PARAM_DEL_IP | |
2144 | 2146 | SCTP_PARAM_SET_PRIMARY); |
net/sctp/sysctl.c
... | ... | @@ -263,6 +263,15 @@ |
263 | 263 | .proc_handler = &proc_dointvec, |
264 | 264 | .strategy = &sysctl_intvec |
265 | 265 | }, |
266 | + { | |
267 | + .ctl_name = CTL_UNNUMBERED, | |
268 | + .procname = "addip_noauth_enable", | |
269 | + .data = &sctp_addip_noauth, | |
270 | + .maxlen = sizeof(int), | |
271 | + .mode = 0644, | |
272 | + .proc_handler = &proc_dointvec, | |
273 | + .strategy = &sysctl_intvec | |
274 | + }, | |
266 | 275 | { .ctl_name = 0 } |
267 | 276 | }; |
268 | 277 |