blob: d5a351f9a1f818e8b03ee8269dd592f3db885ec3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From 99e01a0237ea3af6bf859ceeb2f53ed0755c75dd Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@auristor.com>
Date: Thu, 14 Jan 2021 09:57:13 -0500
Subject: [PATCH 7/7] rx: update_nextCid overflow handling is broken
The overflow handling in update_nextCid() produces a rx_nextCid
value of 0x80000001 which itself is an overflow. When used
to construct the first call of a new connection the connection
id for the call becomes 0x80000002.
If the same connection id is used for multiple connections from
the same endpoint the accepting rx peer will be very confused.
When authenticated connections are used, the CHALLENGE/RESPONSE
will fail because of a mismatch in the connection's callNumber
array.
All communication from a broken initiator to any rx peer will
fail.
The incorrect overflow calculation was introduced by
39b165cdda941181845022c183fea1c7af7e4356 ("Move epoch and cid
generation into the rx core").
This change corrects the overflow value to become
1 << RX_CIDSHIFT
Change-Id: If36e3aa581d557cc0f4d2d478f84a6593224c3cc
---
src/rx/rx.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/rx/rx.c b/src/rx/rx.c
index e1e6d8fd6..5d5953120 100644
--- a/src/rx/rx.c
+++ b/src/rx/rx.c
@@ -6651,9 +6651,8 @@ update_nextCid(void)
{
/* Overflow is technically undefined behavior; avoid it. */
if (rx_nextCid > MAX_AFS_INT32 - (1 << RX_CIDSHIFT))
- rx_nextCid = -1 * ((MAX_AFS_INT32 / RX_CIDSHIFT) * RX_CIDSHIFT);
- else
- rx_nextCid += 1 << RX_CIDSHIFT;
+ rx_nextCid = 0;
+ rx_nextCid += 1 << RX_CIDSHIFT;
}
static void
--
2.30.0
|