git: a6a596e102be - main - sctp: improve handling of listen() call

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Sun, 29 May 2022 18:44:04 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=a6a596e102be19141d042813e7411c9d931663c7

commit a6a596e102be19141d042813e7411c9d931663c7
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-05-29 18:40:30 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2022-05-29 18:40:30 +0000

    sctp: improve handling of listen() call
    
    Fail the listen() call for 1-to-1 style sockets when the SCTP
    association has been shutdown or aborted.
    
    Reported by:    syzbot+6c484f116b9dc88f7db1@syzkaller.appspotmail.com
    MFC after:      3 days
---
 sys/netinet/sctp_usrreq.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 05820f2b2859..caa763f28c8a 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -7221,6 +7221,15 @@ sctp_listen(struct socket *so, int backlog, struct thread *p)
 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error);
 		goto out;
 	}
+	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
+	    ((inp->sctp_flags & SCTP_PCB_FLAGS_WAS_CONNECTED) ||
+	    (inp->sctp_flags & SCTP_PCB_FLAGS_WAS_ABORTED))) {
+		SOCK_UNLOCK(so);
+		solisten_proto_abort(so);
+		error = EINVAL;
+		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error);
+		goto out;
+	}
 	if (inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) {
 		if ((error = sctp_inpcb_bind_locked(inp, NULL, NULL, p))) {
 			SOCK_UNLOCK(so);