SCTP: fix connection memory corruption A bug was found when multiple SCTP connections were being opened to the same SCTP server. This patch addresses that problem, removing the use of the 'parent' pointer approach for sub-connection and saving instead within the sub-connection itself the ID representing its position. That facilitates pointer-arithmetic to be computed in the get_connection_from_transport(). Change-Id: Iaa1f4efc501590be1c93e42fd6fe3d6e02f635eb Signed-off-by: Marco Varlese <marco.varlese@suse.com>

commit: 04e5d64c454ec53103fa1f4b7f3634bb61a65d0f [log] [tgz]
author: Marco Varlese <marco.varlese@suse.com> Fri Feb 23 17:43:06 2018 +0100
committer: Florin Coras <florin.coras@gmail.com> Sun Feb 25 19:33:48 2018 +0000
tree: eb934071bb2254bea39bca2a9804caa07393b4d9
parent: 3473e4938718a820b63edaeab5ae7738c31379d5 [diff] [blame]
diff --git a/src/vnet/sctp/sctp.c b/src/vnet/sctp/sctp.c
index 4643e8e..9a0f47b 100644
--- a/src/vnet/sctp/sctp.c
+++ b/src/vnet/sctp/sctp.c

@@ -27,7 +27,8 @@
   pool_get (tm->listener_pool, listener);
   memset (listener, 0, sizeof (*listener));
 
-  listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = listener;
+  listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx =
+    MAIN_SCTP_SUB_CONN_IDX;
   listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_c_index =
     listener - tm->listener_pool;
   listener->sub_conn[MAIN_SCTP_SUB_CONN_IDX].connection.lcl_port = tep->port;
@@ -273,7 +274,8 @@
     sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].connection.c_index;
   sctp_conn->sub_conn[sctp_conn->next_avail_sub_conn].
     connection.thread_index = thread_index;
-  sctp_conn->sub_conn[sctp_conn->next_avail_sub_conn].parent = sctp_conn;
+  sctp_conn->sub_conn[sctp_conn->next_avail_sub_conn].subconn_idx =
+    sctp_conn->next_avail_sub_conn;
 
   sctp_conn->next_avail_sub_conn += 1;
 
@@ -310,7 +312,8 @@
 
   pool_get (sctp_main->connections[thread_index], sctp_conn);
   memset (sctp_conn, 0, sizeof (*sctp_conn));
-  sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = sctp_conn;
+  sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx =
+    MAIN_SCTP_SUB_CONN_IDX;
   sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_c_index =
     sctp_conn - sctp_main->connections[thread_index];
   sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_thread_index = thread_index;
@@ -330,7 +333,8 @@
   memset (sctp_conn, 0, sizeof (*sctp_conn));
   sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].c_c_index =
     sctp_conn - tm->half_open_connections;
-  sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = sctp_conn;
+  sctp_conn->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx =
+    MAIN_SCTP_SUB_CONN_IDX;
   return sctp_conn;
 }
 
@@ -374,7 +378,7 @@
   transport_connection_t *trans_conn = &sctp_conn->sub_conn[idx].connection;
   ip_copy (&trans_conn->rmt_ip, &rmt->ip, rmt->is_ip4);
   ip_copy (&trans_conn->lcl_ip, &lcl_addr, rmt->is_ip4);
-  sctp_conn->sub_conn[idx].parent = sctp_conn;
+  sctp_conn->sub_conn[idx].subconn_idx = idx;
   trans_conn->rmt_port = rmt->port;
   trans_conn->lcl_port = clib_host_to_net_u16 (lcl_port);
   trans_conn->is_ip4 = rmt->is_ip4;
commit	04e5d64c454ec53103fa1f4b7f3634bb61a65d0f	[log] [tgz]
author	Marco Varlese <marco.varlese@suse.com>	Fri Feb 23 17:43:06 2018 +0100
committer	Florin Coras <florin.coras@gmail.com>	Sun Feb 25 19:33:48 2018 +0000
tree	eb934071bb2254bea39bca2a9804caa07393b4d9
parent	3473e4938718a820b63edaeab5ae7738c31379d5 [diff] [blame]