Commit 405426f6ca8ac2d8d5b1f8eb9285452d44222781
Committed by
David S. Miller
David S. Miller
1 parent
f9e42b8535
Exists in
master
and in
20 other branches
net: sctp: sctp_sf_do_prm_asoc: do SCTP_CMD_INIT_CHOOSE_TRANSPORT first
While this currently cannot trigger any NULL pointer dereference in sctp_seq_dump_local_addrs(), better change the order of commands to prevent a future bug to happen. Although we first add SCTP_CMD_NEW_ASOC and then set the SCTP_CMD_INIT_CHOOSE_TRANSPORT, it is okay for now, since this primitive is only called by sctp_connect() or sctp_sendmsg() with sctp_assoc_add_peer() set first. However, lets do this precaution and first set the transport and then add it to the association hashlist to prevent in future something to possibly triggering this. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 4 additions and 4 deletions Side-by-side Diff
net/sctp/sm_statefuns.c
| ... | ... | @@ -4632,15 +4632,15 @@ |
| 4632 | 4632 | if (!repl) |
| 4633 | 4633 | goto nomem; |
| 4634 | 4634 | |
| 4635 | + /* Choose transport for INIT. */ | |
| 4636 | + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, | |
| 4637 | + SCTP_CHUNK(repl)); | |
| 4638 | + | |
| 4635 | 4639 | /* Cast away the const modifier, as we want to just |
| 4636 | 4640 | * rerun it through as a sideffect. |
| 4637 | 4641 | */ |
| 4638 | 4642 | my_asoc = (struct sctp_association *)asoc; |
| 4639 | 4643 | sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(my_asoc)); |
| 4640 | - | |
| 4641 | - /* Choose transport for INIT. */ | |
| 4642 | - sctp_add_cmd_sf(commands, SCTP_CMD_INIT_CHOOSE_TRANSPORT, | |
| 4643 | - SCTP_CHUNK(repl)); | |
| 4644 | 4644 | |
| 4645 | 4645 | /* After sending the INIT, "A" starts the T1-init timer and |
| 4646 | 4646 | * enters the COOKIE-WAIT state. |