Commit 73d9c4fd authored by Vlad Yasevich's avatar Vlad Yasevich
Browse files

SCTP: Allow ADD_IP to work with AUTH for backward compatibility. 



This patch adds a tunable that will allow ADD_IP to work without
AUTH for backward compatibility.  The default value is off since
the default value for ADD_IP is off as well.  People who need
to use ADD-IP with older implementations take risks of connection
hijacking and should consider upgrading or turning this tunable on.

Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
parent 88799fe5

include/net/sctp/structs.h

+2 −0
Original line number Diff line number Diff line
@@ -212,6 +212,7 @@ extern struct sctp_globals { 
	

	/* Flag to indicate if addip is enabled. */

	int addip_enable;

	int addip_noauth_enable;



	/* Flag to indicate if PR-SCTP is enabled. */

	int prsctp_enable;
@@ -249,6 +250,7 @@ extern struct sctp_globals { 
#define sctp_local_addr_list		(sctp_globals.local_addr_list)

#define sctp_local_addr_lock		(sctp_globals.addr_list_lock)

#define sctp_addip_enable		(sctp_globals.addip_enable)

#define sctp_addip_noauth		(sctp_globals.addip_noauth_enable)

#define sctp_prsctp_enable		(sctp_globals.prsctp_enable)

#define sctp_auth_enable		(sctp_globals.auth_enable)

net/sctp/associola.c

+6 −2
Original line number Diff line number Diff line
@@ -262,10 +262,14 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a 
	 */

	asoc->peer.sack_needed = 1;



	/* Assume that the peer recongizes ASCONF until reported otherwise

	 * via an ERROR chunk.

	/* Assume that the peer will tell us if he recognizes ASCONF

	 * as part of INIT exchange.

	 * The sctp_addip_noauth option is there for backward compatibilty

	 * and will revert old behavior.

	 */

	asoc->peer.asconf_capable = 0;

	if (sctp_addip_noauth)

		asoc->peer.asconf_capable = 1;



	/* Create an input queue.  */

	sctp_inq_init(&asoc->base.inqueue);

net/sctp/protocol.c

+1 −0
Original line number Diff line number Diff line
@@ -1179,6 +1179,7 @@ SCTP_STATIC __init int sctp_init(void) 


	/* Disable ADDIP by default. */

	sctp_addip_enable = 0;

	sctp_addip_noauth = 0;



	/* Enable PR-SCTP by default. */

	sctp_prsctp_enable = 1;

net/sctp/sm_make_chunk.c

+3 −1
Original line number Diff line number Diff line
@@ -2137,8 +2137,10 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid, 


	/* If the peer claims support for ADD-IP without support

	 * for AUTH, disable support for ADD-IP.

	 * Do this only if backward compatible mode is turned off.

	 */

	if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) {

	if (!sctp_addip_noauth &&

	     (asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {

		asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |

						  SCTP_PARAM_DEL_IP |

						  SCTP_PARAM_SET_PRIMARY);

net/sctp/sysctl.c

+9 −0
Original line number Diff line number Diff line
@@ -263,6 +263,15 @@ static ctl_table sctp_table[] = { 
		.proc_handler	= &proc_dointvec,

		.strategy	= &sysctl_intvec

	},

	{

		.ctl_name	= CTL_UNNUMBERED,

		.procname	= "addip_noauth_enable",

		.data		= &sctp_addip_noauth,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

		.strategy	= &sysctl_intvec

	},

	{ .ctl_name = 0 }

};

CRA Git | Maintained and supported by SUSTech CRA and CCSE