SCTP: fix connection memory corruption
A bug was found when multiple SCTP connections were being opened to the
same SCTP server. This patch addresses that problem, removing the use of
the 'parent' pointer approach for sub-connection and saving instead
within the sub-connection itself the ID representing its position. That
facilitates pointer-arithmetic to be computed in the
get_connection_from_transport().
Change-Id: Iaa1f4efc501590be1c93e42fd6fe3d6e02f635eb
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
diff --git a/src/vnet/sctp/sctp.h b/src/vnet/sctp/sctp.h
index fd9d8da..048d153 100644
--- a/src/vnet/sctp/sctp.h
+++ b/src/vnet/sctp/sctp.h
@@ -100,8 +100,8 @@
typedef struct _sctp_sub_connection
{
transport_connection_t connection; /**< Common transport data. First! */
- void *parent; /**< Link to the parent-super connection */
+ u8 subconn_idx; /**< This indicates the position of this sub-connection in the super-set container of connections pool */
u32 error_count; /**< The current error count for this destination. */
u32 error_threshold; /**< Current error threshold for this destination,
i.e. what value marks the destination down if error count reaches this value. */
@@ -512,7 +512,7 @@
clib_spinlock_lock_if_init (&sctp_main.half_open_lock);
if (!pool_is_free_index (sctp_main.half_open_connections, conn_index))
tc = pool_elt_at_index (sctp_main.half_open_connections, conn_index);
- tc->sub_conn[MAIN_SCTP_SUB_CONN_IDX].parent = tc;
+ tc->sub_conn[MAIN_SCTP_SUB_CONN_IDX].subconn_idx = MAIN_SCTP_SUB_CONN_IDX;
clib_spinlock_unlock_if_init (&sctp_main.half_open_lock);
return tc;
}
@@ -609,7 +609,11 @@
if (sub->parent == NULL)
SCTP_ADV_DBG ("sub->parent == NULL");
#endif
- return (sctp_connection_t *) sub->parent;
+ if (sub->subconn_idx > 0)
+ return (sctp_connection_t *) sub -
+ (sizeof (sctp_sub_connection_t) * (sub->subconn_idx - 1));
+
+ return (sctp_connection_t *) sub;
}
always_inline u32