From nobody Tue Aug 06 22:38:08 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wdp9Y1LhDz5SnQs;
	Tue, 06 Aug 2024 22:38:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Wdp9Y0r6Xz4hZB;
	Tue,  6 Aug 2024 22:38:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1722983889;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NbDRm1pexAhLn4dJnkQNdFVEs8/OaDJHldba/CoU3tM=;
	b=RywBIbyvLnNye97SEkrGh2LqIyS94l5+Xzmc/K93R9C8Mk3bJ4IaKk4woaS5NVpPwaf1px
	b+4ligYeVQNb3V5B/zIGsuQpNqVdukkdc7phTpLLKoVhyed8Vn7Tp7IGoqPHR1mVA5q5zp
	ylarlACZTHksvc/irauTDiNDqx5wStotoDOvqikpPiEO1kHiunzs8OS/7F84/4nKrZtgHZ
	RyYQOpsn91leb6az+MN25D0hO703lxg0c0w24D0OrkG283VmfeceFKrBoxngFczx948eYE
	W0thGOCYes0ZGLCZ0SXOG8UaJCuGpOrbz+ZCVl82stZAw6Gz/OmZSXOiJN4P5Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722983889; a=rsa-sha256; cv=none;
	b=NwqXl1L0FoQBWGG636BwmYw9mcASlsnSglymTEYgTs0Rgwv+YVOCirEDSJiosavtrE1Hd1
	TMmDKpQIUWkj6HYKEfwGAVtx5XWjG61GiaFZp59T3028f7RtMywKAG1DdGBOjw39Cq4ybf
	VoCvBcgE/hG/56cEEYUmV6chkNDLUQI3MhojEZI/OqvGr23lFC9YgK1srj14bC9wBUPY32
	50uaWZyfoPUaiSddQa5P7kYLrWctvcG76Mhc0gKQYvqkQpABH72GufHM3CbiNWBxWEQnao
	s0shUG68rDFKPAnrqvMfn5i88yU0bkZXxG11GR9su8GZ4jKhNs2s+zyrIbBAkA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1722983889;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NbDRm1pexAhLn4dJnkQNdFVEs8/OaDJHldba/CoU3tM=;
	b=mWLdpqw77OFZmaNv79L1N/5S/hGfLDuIIXsgjIXKJJxOFNHL5/vTUpEcu2pgk4A9lxoxEJ
	rNckSPNCZU0VWo8TPIWf18vB28ACi8yX6xjasFONzoeI0J3HMuNUtTuOrQ64/ykNWYthnC
	mYaFD5iOIs7kqLIo4xQu8rLNdy78gfDKwiX7I/krY0OKd/Ecix5OMOFHpjGHN7dW7oicto
	uxc28AT1D+4syuO44jiZHuQjzbSMNoeQPf9Eb58seGOxaQH9OE/xYDZ9vP83EnBpaIVGW8
	GBF5CW6U4Ru0jQRLG0zBJo420px9RuSM1qqbeREp41cuR+gPNGjfSdo1IwpS1Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Wdp9Y0PdVzQ7G;
	Tue,  6 Aug 2024 22:38:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 476Mc8I3086563;
	Tue, 6 Aug 2024 22:38:08 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 476Mc8RJ086560;
	Tue, 6 Aug 2024 22:38:08 GMT
	(envelope-from git)
Date: Tue, 6 Aug 2024 22:38:08 GMT
Message-Id: <202408062238.476Mc8RJ086560@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: 9badd542e755 - releng/13.4 - sctp: improve input
  validation for data chunks
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.4
X-Git-Reftype: branch
X-Git-Commit: 9badd542e7552f9dfd4b868733a1e67c8f6df2df
Auto-Submitted: auto-generated

The branch releng/13.4 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=9badd542e7552f9dfd4b868733a1e67c8f6df2df

commit 9badd542e7552f9dfd4b868733a1e67c8f6df2df
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-08-03 11:27:18 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-08-06 22:36:18 +0000

    sctp: improve input validation for data chunks
    
    fsn_included should only be considered, if first_frag_seen is true.
    Also, fix the resetting of the control structure, if stream queues
    are flushed.
    This fixes a bug where a legitimate message sequence was incorrectly
    classified as illegitimate.
    Thanks to Victor Boivie for reporting the issue on the userland
    stack.
    
    (cherry picked from commit 101a0f09e8baf8293e1eeb591de18caf15e49e00)
    (cherry picked from commit 18f4b705734e1c76bac441ffe86cb8fbb131a153)
    
    Approved by:    re (cperciva)
---
 sys/netinet/sctp_indata.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 4c40e0de4326..693de313b970 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -746,21 +746,6 @@ sctp_build_readq_entry_from_ctl(struct sctp_queued_to_read *nc, struct sctp_queu
 	nc->do_not_ref_stcb = control->do_not_ref_stcb;
 }
 
-static void
-sctp_reset_a_control(struct sctp_queued_to_read *control,
-    struct sctp_inpcb *inp, uint32_t tsn)
-{
-	control->fsn_included = tsn;
-	if (control->on_read_q) {
-		/*
-		 * We have to purge it from there, hopefully this will work
-		 * :-)
-		 */
-		TAILQ_REMOVE(&inp->read_queue, control, next);
-		control->on_read_q = 0;
-	}
-}
-
 static int
 sctp_handle_old_unordered_data(struct sctp_tcb *stcb,
     struct sctp_association *asoc,
@@ -1922,7 +1907,8 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
 				SCTP_SNPRINTF(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", mid);
 				goto err_out;
 			} else {
-				if ((tsn == control->fsn_included + 1) &&
+				if ((control->first_frag_seen) &&
+				    (tsn == control->fsn_included + 1) &&
 				    (control->end_added == 0)) {
 					SCTP_SNPRINTF(msg, sizeof(msg),
 					    "Illegal message sequence, missing end for MID: %8.8x",
@@ -5430,12 +5416,25 @@ sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb,
 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
 	}
 	if (!TAILQ_EMPTY(&control->reasm)) {
-		/* This has to be old data, unordered */
+		KASSERT(!asoc->idata_supported,
+		    ("Reassembly queue not empty for I-DATA"));
+		KASSERT(!ordered,
+		    ("Reassembly queue not empty for ordered data"));
 		if (control->data) {
 			sctp_m_freem(control->data);
 			control->data = NULL;
 		}
-		sctp_reset_a_control(control, stcb->sctp_ep, cumtsn);
+		control->fsn_included = 0xffffffff;
+		control->first_frag_seen = 0;
+		control->last_frag_seen = 0;
+		if (control->on_read_q) {
+			/*
+			 * We have to purge it from there, hopefully this
+			 * will work :-)
+			 */
+			TAILQ_REMOVE(&stcb->sctp_ep->read_queue, control, next);
+			control->on_read_q = 0;
+		}
 		chk = TAILQ_FIRST(&control->reasm);
 		if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
 			TAILQ_REMOVE(&control->reasm, chk, sctp_next);