Wind River Support Network


LIN6-7768 : CLONE - socket ack_backlog counter wrap-around

Created: Jun 24, 2014    Updated: Dec 3, 2018
Resolved Date: Sep 2, 2014
Previous ID: LIN4-31529
Found In Version: 6.0
Fix Version:
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Kernel


A malformed SCTP-AUTH chunk is injected to system along with COOKIE-ECHO after INIT,INIT-ACK exchange.
As expected the AUTH chunk is discarded. Post this when a new association is being established, ABORT chunk is sent as response for COOKIE-ECHO and the association is terminated.
While processing the received malformed AUTH chunk, it is found that one of the validation check for the AUTH chunk fails. i.e length of the signature does not match and proto violation error is returned.
During association free, the backlog value of the socket is decremented.
In this case the backlog value would be zero.
Backlog value being an unsigned short , decrementing the value would result in 65535(unsigned short int max value. Range 0-65535).
We try to establish new association with the same socket. While processing the received COOKIE-ECHO chunk  after INIT, INIT-ACK exchange
it is found that the number of associations  on the TCP-style socket exceed the max backlog and ABORT chunk is sent.
Though there is only one connection to server, the socket ack_backlog value(65535) exceeds the max_ack_backlog value(5).
The max backlog value is 5.

Steps to Reproduce

Testing performed by Codenomicon tools.

Other Downloads

Live chat