提交 73d9c4fd 编写于 作者: V Vlad Yasevich

SCTP: Allow ADD_IP to work with AUTH for backward compatibility.

This patch adds a tunable that will allow ADD_IP to work without
AUTH for backward compatibility.  The default value is off since
the default value for ADD_IP is off as well.  People who need
to use ADD-IP with older implementations take risks of connection
hijacking and should consider upgrading or turning this tunable on.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
上级 88799fe5
...@@ -212,6 +212,7 @@ extern struct sctp_globals { ...@@ -212,6 +212,7 @@ extern struct sctp_globals {
/* Flag to indicate if addip is enabled. */ /* Flag to indicate if addip is enabled. */
int addip_enable; int addip_enable;
int addip_noauth_enable;
/* Flag to indicate if PR-SCTP is enabled. */ /* Flag to indicate if PR-SCTP is enabled. */
int prsctp_enable; int prsctp_enable;
...@@ -249,6 +250,7 @@ extern struct sctp_globals { ...@@ -249,6 +250,7 @@ extern struct sctp_globals {
#define sctp_local_addr_list (sctp_globals.local_addr_list) #define sctp_local_addr_list (sctp_globals.local_addr_list)
#define sctp_local_addr_lock (sctp_globals.addr_list_lock) #define sctp_local_addr_lock (sctp_globals.addr_list_lock)
#define sctp_addip_enable (sctp_globals.addip_enable) #define sctp_addip_enable (sctp_globals.addip_enable)
#define sctp_addip_noauth (sctp_globals.addip_noauth_enable)
#define sctp_prsctp_enable (sctp_globals.prsctp_enable) #define sctp_prsctp_enable (sctp_globals.prsctp_enable)
#define sctp_auth_enable (sctp_globals.auth_enable) #define sctp_auth_enable (sctp_globals.auth_enable)
......
...@@ -262,10 +262,14 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a ...@@ -262,10 +262,14 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
*/ */
asoc->peer.sack_needed = 1; asoc->peer.sack_needed = 1;
/* Assume that the peer recongizes ASCONF until reported otherwise /* Assume that the peer will tell us if he recognizes ASCONF
* via an ERROR chunk. * as part of INIT exchange.
* The sctp_addip_noauth option is there for backward compatibilty
* and will revert old behavior.
*/ */
asoc->peer.asconf_capable = 0; asoc->peer.asconf_capable = 0;
if (sctp_addip_noauth)
asoc->peer.asconf_capable = 1;
/* Create an input queue. */ /* Create an input queue. */
sctp_inq_init(&asoc->base.inqueue); sctp_inq_init(&asoc->base.inqueue);
......
...@@ -1179,6 +1179,7 @@ SCTP_STATIC __init int sctp_init(void) ...@@ -1179,6 +1179,7 @@ SCTP_STATIC __init int sctp_init(void)
/* Disable ADDIP by default. */ /* Disable ADDIP by default. */
sctp_addip_enable = 0; sctp_addip_enable = 0;
sctp_addip_noauth = 0;
/* Enable PR-SCTP by default. */ /* Enable PR-SCTP by default. */
sctp_prsctp_enable = 1; sctp_prsctp_enable = 1;
......
...@@ -2137,8 +2137,10 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid, ...@@ -2137,8 +2137,10 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
/* If the peer claims support for ADD-IP without support /* If the peer claims support for ADD-IP without support
* for AUTH, disable support for ADD-IP. * for AUTH, disable support for ADD-IP.
* Do this only if backward compatible mode is turned off.
*/ */
if (asoc->peer.asconf_capable && !asoc->peer.auth_capable) { if (!sctp_addip_noauth &&
(asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP | asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |
SCTP_PARAM_DEL_IP | SCTP_PARAM_DEL_IP |
SCTP_PARAM_SET_PRIMARY); SCTP_PARAM_SET_PRIMARY);
......
...@@ -263,6 +263,15 @@ static ctl_table sctp_table[] = { ...@@ -263,6 +263,15 @@ static ctl_table sctp_table[] = {
.proc_handler = &proc_dointvec, .proc_handler = &proc_dointvec,
.strategy = &sysctl_intvec .strategy = &sysctl_intvec
}, },
{
.ctl_name = CTL_UNNUMBERED,
.procname = "addip_noauth_enable",
.data = &sctp_addip_noauth,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &proc_dointvec,
.strategy = &sysctl_intvec
},
{ .ctl_name = 0 } { .ctl_name = 0 }
}; };
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册