sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
authorXin Long <lucien.xin@gmail.com>
Sun, 2 May 2021 20:41:20 +0000 (04:41 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 22 May 2021 08:40:31 +0000 (10:40 +0200)
commitd3104ec7b9e23a23845bf9c4b1f44fcfc3190e7d
tree6ca0e5ce2254428f0b02e333cc9d965f2923b58e
parent4fc6ebddfffa50d9b4bd9915d303c62f2939208c
sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b

[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ]

Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into
ESTABLISHED from the state < ESTABLISHED and decremented when the asoc
is being deleted.

However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to
ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment
SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB
multiple times but only decrement once at the end.

I was able to reproduce it by using scapy to do the 4-way shakehands,
after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field
changed to different values, and SCTP_MIB_CURRESTAB was incremented
multiple times and never went back to 0 even when the asoc was freed.

This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when
the state < ESTABLISHED in sctp_sf_do_dupcook_b().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/sctp/sm_statefuns.c