SCTP: Allow ADD_IP to work with AUTH for backward compatibility.
This patch adds a tunable that will allow ADD_IP to work without AUTH for backward compatibility. The default value is off since the default value for ADD_IP is off as well. People who need to use ADD-IP with older implementations take risks of connection hijacking and should consider upgrading or turning this tunable on. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
This commit is contained in:
Родитель
88799fe5ec
Коммит
73d9c4fd1a
|
@ -212,6 +212,7 @@ extern struct sctp_globals {
|
|||
|
||||
/* Flag to indicate if addip is enabled. */
|
||||
int addip_enable;
|
||||
int addip_noauth_enable;
|
||||
|
||||
/* Flag to indicate if PR-SCTP is enabled. */
|
||||
int prsctp_enable;
|
||||
|
@ -249,6 +250,7 @@ extern struct sctp_globals {
|
|||
#define sctp_local_addr_list (sctp_globals.local_addr_list)
|
||||
#define sctp_local_addr_lock (sctp_globals.addr_list_lock)
|
||||
#define sctp_addip_enable (sctp_globals.addip_enable)
|
||||
#define sctp_addip_noauth (sctp_globals.addip_noauth_enable)
|
||||
#define sctp_prsctp_enable (sctp_globals.prsctp_enable)
|
||||
#define sctp_auth_enable (sctp_globals.auth_enable)
|
||||
|
||||
|
|
|
@ -262,10 +262,14 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
|
|||
*/
|
||||
asoc->peer.sack_needed = 1;
|
||||
|
||||
/* Assume that the peer recongizes ASCONF until reported otherwise
|
||||
* via an ERROR chunk.
|
||||
/* Assume that the peer will tell us if he recognizes ASCONF
|
||||
* as part of INIT exchange.
|
||||
* The sctp_addip_noauth option is there for backward compatibilty
|
||||
* and will revert old behavior.
|
||||
*/
|
||||
asoc->peer.asconf_capable = 0;
|
||||
if (sctp_addip_noauth)
|
||||
asoc->peer.asconf_capable = 1;
|
||||
|
||||
/* Create an input queue. */
|
||||
sctp_inq_init(&asoc->base.inqueue);
|
||||
|
|
|
@ -1179,6 +1179,7 @@ SCTP_STATIC __init int sctp_init(void)
|
|||
|
||||
/* Disable ADDIP by default. */
|
||||
sctp_addip_enable = 0;
|
||||
sctp_addip_noauth = 0;
|
||||
|
||||
/* Enable PR-SCTP by default. */
|
||||
sctp_prsctp_enable = 1;
|
||||
|
|
|
@ -2137,8 +2137,10 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
|
|||
|
||||
/* If the peer claims support for ADD-IP without support
|
||||
* for AUTH, disable support for ADD-IP.
|
||||
* Do this only if backward compatible mode is turned off.
|
||||
*/
|
||||
if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) {
|
||||
if (!sctp_addip_noauth &&
|
||||
(asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
|
||||
asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |
|
||||
SCTP_PARAM_DEL_IP |
|
||||
SCTP_PARAM_SET_PRIMARY);
|
||||
|
|
|
@ -263,6 +263,15 @@ static ctl_table sctp_table[] = {
|
|||
.proc_handler = &proc_dointvec,
|
||||
.strategy = &sysctl_intvec
|
||||
},
|
||||
{
|
||||
.ctl_name = CTL_UNNUMBERED,
|
||||
.procname = "addip_noauth_enable",
|
||||
.data = &sctp_addip_noauth,
|
||||
.maxlen = sizeof(int),
|
||||
.mode = 0644,
|
||||
.proc_handler = &proc_dointvec,
|
||||
.strategy = &sysctl_intvec
|
||||
},
|
||||
{ .ctl_name = 0 }
|
||||
};
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче