git: 7b2f1a7fe944 - main - sctp: improve delivery of stream reset notifications
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 02 Feb 2023 21:44:19 UTC
The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=7b2f1a7fe9445ea318f34bd3db971076b61ef831 commit 7b2f1a7fe9445ea318f34bd3db971076b61ef831 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2023-02-02 13:46:10 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2023-02-02 13:46:10 +0000 sctp: improve delivery of stream reset notifications Two functions are not called via sctp_ulp_notify() and therefore need additional checks when being called. Reported by: syzbot+eb888d3a5a6c54413de5@syzkaller.appspotmail.com MFC after: 3 days --- sys/netinet/sctputil.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c index 677040cd1d31..f4b6ca8c0836 100644 --- a/sys/netinet/sctputil.c +++ b/sys/netinet/sctputil.c @@ -3815,10 +3815,17 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb, uint16_t numberin, uint16_t struct sctp_stream_change_event *stradd; if ((stcb == NULL) || - (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || + (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { + /* If the socket is gone we are out of here. */ + return; + } + if (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT)) { /* event not enabled */ return; } + if ((stcb->asoc.peer_req_out) && flag) { /* Peer made the request, don't tell the local user */ stcb->asoc.peer_req_out = 0; @@ -3871,10 +3878,17 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb, uint32_t sending_tsn, uint32 struct sctp_assoc_reset_event *strasoc; if ((stcb == NULL) || - (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || + (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { + /* If the socket is gone we are out of here. */ + return; + } + if (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT)) { /* event not enabled */ return; } + m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA); if (m_notify == NULL) /* no space left */