From patchwork Tue Feb 12 23:30:16 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Borkmann X-Patchwork-Id: 220012 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 735C72C0091 for ; Wed, 13 Feb 2013 11:24:04 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759338Ab3BMAX7 (ORCPT ); Tue, 12 Feb 2013 19:23:59 -0500 Received: from mx1.redhat.com ([209.132.183.28]:19006 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751422Ab3BMAX6 (ORCPT ); Tue, 12 Feb 2013 19:23:58 -0500 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r1D0NuJw023966 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Feb 2013 19:23:57 -0500 Received: from localhost (vpn1-6-4.ams2.redhat.com [10.36.6.4]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r1CNUGrH023596; Tue, 12 Feb 2013 18:30:17 -0500 From: Daniel Borkmann To: davem@davemloft.net Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH net] net: sctp: sctp_v6_get_dst: fix boolean test in dst cache Date: Wed, 13 Feb 2013 00:30:16 +0100 Message-Id: <4a07201201d7bac08468d17dea3dbc1ea9a67205.1360709645.git.dborkman@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We walk through the bind address list and try to get the best source address for a given destination. However, currently, we take the 'continue' path of the loop when an entry is invalid (!laddr->valid) *and* the entry state does not equal SCTP_ADDR_SRC (laddr->state != SCTP_ADDR_SRC). Thus, still, invalid entries with SCTP_ADDR_SRC might not 'continue' as well as valid entries with SCTP_ADDR_{NEW, SRC, DEL}, with a possible false baddr and matchlen as a result, causing in worst case dst route to be false or possibly NULL. This test should actually be a '||' instead of '&&'. But lets fix it and make this a bit easier to read by having the condition the same way as similarly done in sctp_v4_get_dst. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Acked-by: Neil Horman --- net/sctp/ipv6.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index f3f0f4d..391a245 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -326,9 +326,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, */ rcu_read_lock(); list_for_each_entry_rcu(laddr, &bp->address_list, list) { - if (!laddr->valid && laddr->state != SCTP_ADDR_SRC) + if (!laddr->valid) continue; - if ((laddr->a.sa.sa_family == AF_INET6) && + if ((laddr->state == SCTP_ADDR_SRC) && + (laddr->a.sa.sa_family == AF_INET6) && (scope <= sctp_scope(&laddr->a))) { bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a); if (!baddr || (matchlen < bmatchlen)) {