Hi, On Sun, Mar 03, 2019 at 04:17:21PM +0800, Xin Long wrote: > sctp_hdr(skb) only works when skb->transport_header is set > properly. > > But in the path of nf_conntrack_in: > > sctp_packet() -> sctp_error() -> sctp_compute_cksum(). > > skb->transport_header is not guaranteed to be right value > for sctp. It will cause to fail to check the checksum for > sctp packets. > > So fix it by setting skb transport_header before calling > sctp_compute_cksum(). I see a few more calls to sctp_compute_cksum() in the netfilter tree. I guess they are broken too. In netfilter, skb->transport_header is never set from the input path, I think this introduces an assymmetry with other transport protocols. May we have a variant of sctp_compute_cksum() which does not rely on sctp_hdr() instead?
