net: sctp: sctp_v6_get_dst: fix boolean test in dst cache

We walk through the bind address list and try to get the best source address for a given destination. However, currently, we take the 'continue' path of the loop when an entry is invalid (!laddr->valid) *and* the entry state does not equal SCTP_ADDR_SRC (laddr->state != SCTP_ADDR_SRC). Thus, still, invalid entries with SCTP_ADDR_SRC might not 'continue' as well as valid entries with SCTP_ADDR_{NEW, SRC, DEL}, with a possible false baddr and matchlen as a result, causing in worst case dst route to be false or possibly NULL. This test should actually be a '||' instead of '&&'. But lets fix it and make this a bit easier to read by having the condition the same way as similarly done in sctp_v4_get_dst. Signed-off-by: Daniel Borkmann <[email protected]> Acked-by: Vlad Yasevich <[email protected]> Acked-by: Neil Horman <[email protected]> Signed-off-by: David S. Miller <[email protected]>
stroese · Feb 13, 2013 · e9c0dfb · e9c0dfb
1 parent 816cd5b
commit e9c0dfb
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
@@ -326,9 +326,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
 	 */
 	rcu_read_lock();
 	list_for_each_entry_rcu(laddr, &bp->address_list, list) {
-		if (!laddr->valid && laddr->state != SCTP_ADDR_SRC)
+		if (!laddr->valid)
 			continue;
-		if ((laddr->a.sa.sa_family == AF_INET6) &&
+		if ((laddr->state == SCTP_ADDR_SRC) &&
+		    (laddr->a.sa.sa_family == AF_INET6) &&
 		    (scope <= sctp_scope(&laddr->a))) {
 			bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
 			if (!baddr || (matchlen < bmatchlen)) {