git: eec6aed5b8c8 - main - sctp: fix another locking bug in COOKIE handling

[Michael Tuexen]

The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=eec6aed5b8c848841ae8d25940e0a333e5039ce9

commit eec6aed5b8c848841ae8d25940e0a333e5039ce9
Author:     Michael Tuexen <tuexen at FreeBSD.org>
AuthorDate: 2021-05-12 21:02:31 +0000
Commit:     Michael Tuexen <tuexen at FreeBSD.org>
CommitDate: 2021-05-12 21:05:28 +0000

    sctp: fix another locking bug in COOKIE handling
    
    Thanks to Tolya Korniltsev for reporting the issue for
    the userland stack and testing the fix.
    
    MFC after:      3 days
---
 sys/netinet/sctp_input.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index f066cc100ac2..442e58afd0ff 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1752,17 +1752,23 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
 		struct sctpasochead *head;
 
 		if (asoc->peer_supports_nat) {
+			struct sctp_tcb *local_stcb;
+
 			/*
 			 * This is a gross gross hack. Just call the
 			 * cookie_new code since we are allowing a duplicate
 			 * association. I hope this works...
 			 */
-			return (sctp_process_cookie_new(m, iphlen, offset, src, dst,
+			local_stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst,
 			    sh, cookie, cookie_len,
 			    inp, netp, init_src, notification,
 			    auth_skipped, auth_offset, auth_len,
 			    mflowtype, mflowid,
-			    vrf_id, port));
+			    vrf_id, port);
+			if (local_stcb == NULL) {
+				SCTP_TCB_UNLOCK(stcb);
+			}
+			return (local_stcb);
 		}
 		/*
 		 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)