SCTP: Fix a potential race between timers and receive path.

[linux-2.6-omap-h63xx.git] / net / sctp / sm_make_chunk.c
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c

index c055212875f61331ec2d340ff92ff6f70197212c..43e8de1228f9791b17b8de37893a69f50d1be1c2 100644 (file)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1513,8 +1513,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
                 struct hash_desc desc;
  
                 /* Sign the message.  */
-               sg_init_table(&sg, 1);
-               sg_set_buf(&sg, &cookie->c, bodysize);
+               sg_init_one(&sg, &cookie->c, bodysize);
                 keylen = SCTP_SECRET_SIZE;
                 key = (char *)ep->secret_key[ep->current_key];
                 desc.tfm = sctp_sk(ep->base.sk)->hmac;
@@ -1584,8 +1583,7 @@ struct sctp_association *sctp_unpack_cookie(
  
         /* Check the signature.  */
         keylen = SCTP_SECRET_SIZE;
-       sg_init_table(&sg, 1);
-       sg_set_buf(&sg, bear_cookie, bodysize);
+       sg_init_one(&sg, bear_cookie, bodysize);
         key = (char *)ep->secret_key[ep->current_key];
         desc.tfm = sctp_sk(ep->base.sk)->hmac;
         desc.flags = 0;
@@ -1849,7 +1847,7 @@ static void sctp_process_ext_param(struct sctp_association *asoc,
                             break;
                     case SCTP_CID_ASCONF:
                     case SCTP_CID_ASCONF_ACK:
-                           asoc->peer.addip_capable = 1;
+                           asoc->peer.asconf_capable = 1;
                             break;
                     default:
                             break;
@@ -2139,11 +2137,14 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
  
         /* If the peer claims support for ADD-IP without support
          * for AUTH, disable support for ADD-IP.
+        * Do this only if backward compatible mode is turned off.
          */
-       if (asoc->peer.addip_capable && !asoc->peer.auth_capable) {
+       if (!sctp_addip_noauth &&
+            (asoc->peer.asconf_capable && !asoc->peer.auth_capable)) {
                 asoc->peer.addip_disabled_mask |= (SCTP_PARAM_ADD_IP |
                                                   SCTP_PARAM_DEL_IP |
                                                   SCTP_PARAM_SET_PRIMARY);
+               asoc->peer.asconf_capable = 0;
         }
  
         /* Walk list of transports, removing transports in the UNKNOWN state. */
@@ -2850,10 +2851,11 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
  
         __be16  err_code;
         int     length = 0;
-       int     chunk_len = asconf->skb->len;
+       int     chunk_len;
         __u32   serial;
         int     all_param_pass = 1;
  
+       chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
         hdr = (sctp_addiphdr_t *)asconf->skb->data;
         serial = ntohl(hdr->serial);
  
@@ -2954,13 +2956,17 @@ static int sctp_asconf_param_success(struct sctp_association *asoc,
                 /* This is always done in BH context with a socket lock
                  * held, so the list can not change.
                  */
+               local_bh_disable();
                 list_for_each_entry(saddr, &bp->address_list, list) {
                         if (sctp_cmp_addr_exact(&saddr->a, &addr))
                                 saddr->use_as_src = 1;
                 }
+               local_bh_enable();
                 break;
         case SCTP_PARAM_DEL_IP:
-               retval = sctp_del_bind_addr(bp, &addr, call_rcu_bh);
+               local_bh_disable();
+               retval = sctp_del_bind_addr(bp, &addr);
+               local_bh_enable();
                 list_for_each(pos, &asoc->peer.transport_addr_list) {
                         transport = list_entry(pos, struct sctp_transport,
                                                  transports);
@@ -2992,7 +2998,7 @@ static __be16 sctp_get_asconf_response(struct sctp_chunk *asconf_ack,
         sctp_addip_param_t      *asconf_ack_param;
         sctp_errhdr_t           *err_param;
         int                     length;
-       int                     asconf_ack_len = asconf_ack->skb->len;
+       int                     asconf_ack_len;
         __be16                  err_code;
  
         if (no_err)
@@ -3000,6 +3006,9 @@ static __be16 sctp_get_asconf_response(struct sctp_chunk *asconf_ack,
         else
                 err_code = SCTP_ERROR_REQ_REFUSED;
  
+       asconf_ack_len = ntohs(asconf_ack->chunk_hdr->length) -
+                            sizeof(sctp_chunkhdr_t);
+
         /* Skip the addiphdr from the asconf_ack chunk and store a pointer to
          * the first asconf_ack parameter.
          */