svn commit: r54452 - in head/share: security/advisories security/patches/EN-20:17 security/patches/EN-20:18 security/patches/SA-20:24 security/patches/SA-20:25 security/patches/SA-20:26 xml
Gordon Tetlow
gordon at FreeBSD.org
Wed Sep 2 16:53:19 UTC 2020
Author: gordon (src committer)
Date: Wed Sep 2 16:53:16 2020
New Revision: 54452
URL: https://svnweb.freebsd.org/changeset/doc/54452
Log:
Add EN-20:17, EN-20:18, and SA-20:24 to SA-20:26.
Approved by: so
Added:
head/share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:24.ipv6.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:25.sctp.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:26.dhclient.asc (contents, props changed)
head/share/security/patches/EN-20:17/
head/share/security/patches/EN-20:17/linuxthread.patch (contents, props changed)
head/share/security/patches/EN-20:17/linuxthread.patch.asc (contents, props changed)
head/share/security/patches/EN-20:18/
head/share/security/patches/EN-20:18/getfsstat.patch (contents, props changed)
head/share/security/patches/EN-20:18/getfsstat.patch.asc (contents, props changed)
head/share/security/patches/SA-20:24/
head/share/security/patches/SA-20:24/ipv6.patch (contents, props changed)
head/share/security/patches/SA-20:24/ipv6.patch.asc (contents, props changed)
head/share/security/patches/SA-20:25/
head/share/security/patches/SA-20:25/sctp.11.3.patch (contents, props changed)
head/share/security/patches/SA-20:25/sctp.11.3.patch.asc (contents, props changed)
head/share/security/patches/SA-20:25/sctp.11.4.patch (contents, props changed)
head/share/security/patches/SA-20:25/sctp.11.4.patch.asc (contents, props changed)
head/share/security/patches/SA-20:25/sctp.12.1.patch (contents, props changed)
head/share/security/patches/SA-20:25/sctp.12.1.patch.asc (contents, props changed)
head/share/security/patches/SA-20:26/
head/share/security/patches/SA-20:26/dhclient.patch (contents, props changed)
head/share/security/patches/SA-20:26/dhclient.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:17.linuxthread Errata Notice
+ The FreeBSD Project
+
+Topic: FreeBSD Linux ABI kernel panic
+
+Category: core
+Module: kernel
+Announced: 2020-09-02
+Credits: Martin Filla
+ Henrique L. Amorim, Independent Security Researcher
+ Rodrigo Rubira Branco (BSDaemon), Amazon Web Services
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-06-25 05:24:35 UTC (stable/12, 12.1-STABLE)
+ 2020-09-02 16:21:27 UTC (releng/12.1, 12.1-RELEASE-p9)
+ 2020-06-25 05:35:46 UTC (stable/11, 11.4-STABLE)
+ 2020-09-02 16:21:27 UTC (releng/11.4, 11.4-RELEASE-p3)
+ 2020-09-02 16:21:27 UTC (releng/11.3, 11.3-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Linux ABI layer (Linuxulator) allows Linux binaries to be executed on a
+FreeBSD kernel.
+
+II. Problem Description
+
+The kernel function handling exec(3) of a Linux binary did not correctly
+handle a calling process with multiple threads.
+
+III. Impact
+
+A multithread non-Linux process execing a Linux binary would fail a kernel
+assertion, resuting in a kernel panic "thread_detach: emuldata not found."
+
+IV. Workaround
+
+No workaround is available. Systems not using the Linux ABI layer are not
+affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:17/linuxthread.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:17/linuxthread.patch.asc
+# gpg --verify linuxthread.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r362605
+releng/12.1/ r365253
+stable/11/ r362606
+releng/11.4/ r365253
+releng/11.3/ r365253
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247020>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:17.linuxthread.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzRZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIZEw//QwJJ3DX0k1PnOwRDdl5KSORAZq1Qfa0Rdo4N3QK31Ap/GiAmW+6wZRr1
+Cb3dAywlfjw8F+Hnxc6za1V0W7Ckr/tbJHGt1XXsq8Pjpc6+GdNGRZi7eiAQHvU7
+I9xkL1jnerBY0l5hq8A6ti1vhraNEFvA0/0lluhqCpgFPEtc/vbvKemyC0RAKVzF
+wAz7P3/OyQqcd5qVHBIYfOziau/lfQ2/qD+6hLSZ5pgGX4e/tB1NrYVSd0vNevOl
+d3P9LDQYxSIzQ5jHbfLSFOPkT471ItJ6+QW+pAIZQ0Sv4hTQPBRHOL4ZfXG/IDgr
++mVBa6L8lykeC+xh9Teih+dKqZRY5SzKuZVUqURCY2P6miq8C5A2eiTtGIIuwgFF
+okqTJx0a+ECAEc7dmaEAM8snqKiPYgu1cCOXKrvAPpkB/Ss1w0Zr/YxLW6v3lMmO
+nFOUGeXF9hLxDIINdKRNdaum8aqy1Vtg6xKNfP6z/H4V6saLSLrWk0M2HDKNOyts
+MHc/P7zg7hMw1ft/VhiOEWgCk7Se3Q1D2IY53BsUNgtbs5ti29mEeOkNO09FkPYL
+t9f3uIOZD9PLg1kDIDA97DulL95gXyX2K10wHciOnDgU+UitHCOqXAnkYGKbezfS
+ID1JRdq4uHHIjPOTOiUkTYJDnR/Lgz2572KkTjM5d7YOviS8nS0=
+=1pOR
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,124 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:18.getfsstat Errata Notice
+ The FreeBSD Project
+
+Topic: getfsstat compatibility system call panic
+
+Category: core
+Module: getfsstat
+Announced: 2020-09-02
+Credits: Rodrigo Rubira Branco (BSDaemon), Amazon Web Services
+Affects: FreeBSD 11.3 and 11.4
+Corrected: 2020-06-20 04:39:52 UTC (stable/11, 11.4-STABLE)
+ 2020-09-02 16:22:14 UTC (releng/11.4, 11.4-RELEASE-p3)
+ 2020-09-02 16:22:14 UTC (releng/11.3, 11.3-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+getfsstat(2) is a system call which provides information about mounted
+filesystems. The kernel provides compatibility system calls for old
+versions of the interface.
+
+II. Problem Description
+
+A bug in an internal interface used by getfsstat(2) compatibility system
+calls could result in a free of an uninitialized pointer when getfsstat(2)
+is called with an invalid argument.
+
+III. Impact
+
+A kernel panic can be triggered by an unprivileged user process.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:18/getfsstat.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:18/getfsstat.patch.asc
+# gpg --verify getfsstat.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r362426
+releng/11.4/ r365254
+releng/11.3/ r365254
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:18.getfsstat.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzSVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJrrw/9E3bKTN36F+FPrGdi6wWeAHUEZt3hoonrFqrn4SPUEVSRkk39HGpitgJ8
+KU7HDr9U9B6zaIYnqE+1BWiIYYhqQQM5zb77TGr0fy/LVa8a+m/6o9wzib26lsAT
+jrBS0hsZ0Swb8TlrQdaEpLp1wkEdhy5t10hJ/+/nezzo+q2C52m4Bs80J7gE9BCq
+uxgCRlnld3fXJrKrOva8WfvMziE8nV9CzKF9luYlP7U9s1PS5H5U6r22Y8tvzZqS
+IbH60i7vPhlqX8faxZfKGRIABsJhnee98JF0rDRBOmMwTnFBTmaot75eEjwZIc5p
+0GtM27NOM6a/AaO9Yr8U4PI0PffTi8hVm/1t6dlhG5X3O7IUxKC0XT1vlh3jJ1j2
+9i1iuuGU3zSzTSMyWMmzuxCz/YK0C/g4C86ehkdxOYtn6RV31rMSoKdPjxSbyhIJ
+ef1eXHm6iBM8aofto24WjCSftPno0rx1peeOnKAqvpTpGH+n08H6iRFagaOt6kkQ
+qhy+ZtrlzmjUeUqwLSnyuHJtK+QkP1WFTnT9QgMPnqpRB9e+OsQC2K1KgR9lkOG0
+2kyTu+fJGkNvhiHxKuvIsh5OiNvNm/QHYwESaGPbFhierh+CHs00M00GyeeCjBSr
+nMbA3DsD3OxrrxYqh/17x4XoiopY6gUSlDSG+RbsTFsTqTxi308=
+=E4P4
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:24.ipv6.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:24.ipv6.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,124 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:24.ipv6 Security Advisory
+ The FreeBSD Project
+
+Topic: IPv6 Hop-by-Hop options use-after-free bug
+
+Category: core
+Module: kernel
+Announced: 2020-09-02
+Affects: FreeBSD 11.3
+Corrected: 2020-05-07 01:28:59 UTC (stable/11, 11.4-PRERELEASE)
+ 2020-09-02 16:23:15 UTC (releng/11.3, 11.3-RELEASE-p13)
+CVE Name: CVE-2020-7462
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+IPv6 is a network layer supporting Hop-by-Hop options, which can be sent by
+applications via the socket API. The memory management for packet handling
+is done using mbufs.
+
+II. Problem Description
+
+Due to improper mbuf handling in the kernel, a use-after-free bug might be
+triggered by sending IPv6 Hop-by-Hop options over the loopback interface.
+
+III. Impact
+
+Triggering the use-after-free situation may result in unintended kernel
+behaviour including a kernel panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r360733
+releng/11.3/ r365255
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7462>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:24.ipv6.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLJYxAAotGAWrawa3gRK8gVpEIJiYknR9bODjDojm7KovlkuKeYAkyQ92/Ii23U
+U6tMXSPDYQFyscOdrGq4yEjxRDLLkGQGynQpioinDn8POKX7BKpy+PFFdv1mmBef
+h/WpgmlPdhymYisaImgVyGAxU81auzpFB6mArzFDCdHavTd7jVD2lJwcpdzeOk//
+NHOsj8C4VYJs0XcYrNa4CEWfH/D/uNO8u2b3QUfKQSOdfIfaDv22k2b96YKm+zcr
+xS7Q1jDv7QBTQou7KNOfoPi0Gclp8Q9VReP2nY/hB5TmJjR3irz+Z6UcGfiyDGrL
+XRB7oP23jIUmBbsINUN06FIhAPGF9/7zcOOoV1YOdwvmbLM0/W4c+mERZ16gw6+N
+MzCLDOeiyKAUr+pQzcl6lORxr31eB8400l6nRJwmCiWx4nHwyHPIl1RtfvsdNqfE
+/OBVEalxsCrzStfW4ME5RziPo9Y8DrajPf7+JY/4CIV3v/dJAiGi3+qs9Zn8enar
+WCR/8+o4xbT+d1sGTG1W3Qjh9a28jxqEusLjdehDy8PTk9OnIfPRuxj+kvot3Wo0
+lWdeSIo8YZPYn7hG9N19k6aDlljM1fgkBmWj1uELtCeIE7WM5tHGMBuaS0cTt1jL
+s2g01qgkgW2a6cChdm3oNfUKE5KpD3/hU63/jEA6QyJJQQqXlOs=
+=kFlz
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:25.sctp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:25.sctp.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:25.sctp Security Advisory
+ The FreeBSD Project
+
+Topic: SCTP socket use-after-free bug
+
+Category: core
+Module: kernel
+Announced: 2020-09-02
+Credits: Megan2013678 at protonmail.com
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-08-24 09:19:05 UTC (stable/12, 12.1-STABLE)
+ 2020-09-02 16:24:32 UTC (releng/12.1, 12.1-RELEASE-p9)
+ 2020-08-24 09:46:36 UTC (stable/11, 11.4-STABLE)
+ 2020-09-02 16:24:32 UTC (releng/11.4, 11.4-RELEASE-p3)
+ 2020-09-02 16:24:32 UTC (releng/11.3, 11.3-RELEASE-p13)
+CVE Name: CVE-2020-7463
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Stream Control Transmission Protocol (SCTP) is a message oriented
+transport protocol supporting arbitrary large user messages.
+It can be accessed from applications by using the the socket API.
+
+II. Problem Description
+
+Due to improper handling in the kernel, a use-after-free bug can be triggered
+by sending large user messages from multiple threads on the same socket.
+
+III. Impact
+
+Triggering the use-after-free situation may result in unintended kernel
+behaviour including a kernel panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1]
+# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch.asc
+# gpg --verify sctp.12.1.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch.asc
+# gpg --verify sctp.11.4.patch.asc
+
+[FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch.asc
+# gpg --verify sctp.11.3.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r364644
+releng/12.1/ r365256
+stable/11/ r364651
+releng/11.4/ r365256
+releng/11.3/ r365256
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7463>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:25.sctp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIMPw//ZOYh7TQdwvreQ/iZbJphPp7hBVJqFWPE9M72Yfo87/vkl+T5/GW9wiLT
+MQlknQ7SDyzE7i8RpGvX0lmXLbr1e2rkvin1ZFdCbWkPzC7w0WVH7XX6+I+RJmkh
+E4dtmHrYhLRwmVtW5WYZdfO+iYVTJl/h43eYbYvNgJZSuKkvl2Vk6DqyseHx7xR6
+gc7/41AIpMiqRLQI9ZnRvZCEiLq4G+q5z499ACfAutT9o+1T9L6QLCPuyY+fziiq
+cI2E/pQA5uxOY/z3ejKHeOzErjycY6GEhMiBKmsJqV6oU/cZd5hZ1qsmE9Xbi3/c
+Ax+OZr+Ve2a78dD7jOrmCrpBtG1Pg39c6VuQqHD3UN3seBNEkn4kto9vDX9fLceD
+GZbueV97boFxjnXu1B6C8ufqEZDqTaf/SU3+vCobBgydP+V8c1P5LbP6qcFHOUrk
+k7ijiJv03aYyY1Z6XtqbRsudZzIaTt+jneUA1eA46iWQqVZQHKo2liw5kAtsGu0k
+injGcazWRphV6xgOHIMCfrGcLLf0j+4UjiDUk30cansLGewuk/uEh6FlA4NzyRWA
+4L3Q0l/XQWvO2sNMtF9LbBUUujDyy93Vy8BouSp59v7+bAYrRHfcIAmaQnE4jev2
+BY7/JsrfQ9rG/Anzg49Hec8pw9VEvv4kA1STqXcpMt9Fq+0DslA=
+=2ET6
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:26.dhclient.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:26.dhclient.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:26.dhclient Security Advisory
+ The FreeBSD Project
+
+Topic: dhclient heap overflow
+
+Category: core
+Module: dhclient
+Announced: 2020-09-02
+Credits: Shlomi Oberman, JSOF
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-08-31 21:28:09 UTC (stable/12, 12.1-STABLE)
+ 2020-09-02 16:25:31 UTC (releng/12.1, 12.1-RELEASE-p9)
+ 2020-08-31 21:28:57 UTC (stable/11, 11.4-STABLE)
+ 2020-09-02 16:25:31 UTC (releng/11.4, 11.4-RELEASE-p3)
+ 2020-09-02 16:25:31 UTC (releng/11.3, 11.3-RELEASE-p13)
+CVE Name: CVE-2020-7461
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is
+responsible for contacting DHCP servers on a network segment, and for
+initializing and configuring network interfaces and configuring name
+resolution based on received information.
+
+dhclient(8) handles DHCP option 119, the Domain Search Option, which provides
+a list of domains to search when resolving names using DNS. The option data
+format uses a compression scheme to avoid transmitting duplicate domain name
+labels.
+
+II. Problem Description
+
+When parsing option 119 data, dhclient(8) computes the uncompressed domain
+list length so that it can allocate an appropriately sized buffer to store
+the uncompressed list. The code to compute the length failed to handle
+certain malformed input, resulting in a heap overflow when the uncompressed
+list is copied into in inadequately sized buffer.
+
+III. Impact
+
+The heap overflow could in principle be exploited to achieve remote code
+execution. The affected process runs with reduced privileges in a Capsicum
+sandbox, limiting the immediate impact of an exploit. However, it is
+possible the bug could be combined with other vulnerabilities to escape the
+sandbox.
+
+IV. Workaround
+
+No workaround is available. To trigger the bug, a system must be running
+dhclient(8) on the same network as a malicious DHCP server.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+restart dhclient or reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch.asc
+# gpg --verify dhclient.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r365010
+releng/12.1/ r365257
+stable/11/ r365011
+releng/11.4/ r365257
+releng/11.3/ r365257
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7461>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:26.dhclient.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTtfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLLPxAAhg/FSqWLykYAiQ8czoy98X00VIWAP1f4InfUKm8qOB8/7ptzv3A+2Hov
+7lHlyN0D4OwhJFt7fw9oTwNe4UgxShso6QrezaTJZR7juFELy9WODbRFnNK4i8w9
+NCBab+NIn1o7nFZnB0M5TMKfa4gc1jAV+Q/U/zi+ONvwZegmjXJxuop3Sq8wfBd2
+Vp9VAvEJvvBlQKExR2xNRDKV/0LpW+VffIuzlWT2ex3WwGpFVeVSL0ZNJsPbzMYX
+j0aqGo9B/mHfXtKSQ415kGxiaQctnu5FqjNgSc00byzOU0YTiLsPwPdUgIt+nuQd
+WFSePoZsDYstkkJ8YaCA/LVzmZo0tNR8m+z7xmhCszUbMIV+iRSycUexEbCXoPx/
+Ebg6ycyYMwguK7rL2dkjNWTkr3hP5CgLD7VnzVBYGiBY7ha0zOgbaYWl/33Az5Fb
+0eaIyJRFCDmI32NZfri1WLc06K1gFcVcR6VO+BUqRHG6bkYnF/4xlla8ERhYgNeC
+Y9cs4Y9TNRges79k7jovpu9B5nicTEqMRQBubcARX5+w9zLg8h2aKH6inuVy1srn
+M9H/mjdCHMkySpSSrENw9Jk5I7RAgHHRgA1OTkB6Da02aMzPEh6fYHWeR7IpvxPc
+2A/hxnZy0tTeZ4aKbds1GYZWUVDd3I8DlSVcT5Bq1g5kk6I+PN8=
+=jfay
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-20:17/linuxthread.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-20:17/linuxthread.patch Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,63 @@
+--- sys/compat/linux/linux_emul.c.orig
++++ sys/compat/linux/linux_emul.c
+@@ -261,22 +261,13 @@
+ void
+ linux_proc_exec(void *arg __unused, struct proc *p, struct image_params *imgp)
+ {
+- struct thread *td = curthread;
++ struct thread *td;
+ struct thread *othertd;
+ #if defined(__amd64__)
+ struct linux_pemuldata *pem;
+ #endif
+
+- /*
+- * In a case of execing from Linux binary properly detach
+- * other threads from the user space.
+- */
+- if (__predict_false(SV_PROC_ABI(p) == SV_ABI_LINUX)) {
+- FOREACH_THREAD_IN_PROC(p, othertd) {
+- if (td != othertd)
+- (p->p_sysent->sv_thread_detach)(othertd);
+- }
+- }
++ td = curthread;
+
+ /*
+ * In a case of execing to Linux binary we create Linux
+@@ -284,11 +275,32 @@
+ */
+ if (__predict_false((imgp->sysent->sv_flags & SV_ABI_MASK) ==
+ SV_ABI_LINUX)) {
+-
+- if (SV_PROC_ABI(p) == SV_ABI_LINUX)
++ if (SV_PROC_ABI(p) == SV_ABI_LINUX) {
++ /*
++ * Process already was under Linuxolator
++ * before exec. Update emuldata to reflect
++ * single-threaded cleaned state after exec.
++ */
+ linux_proc_init(td, NULL, 0);
+- else
++ } else {
++ /*
++ * We are switching the process to Linux emulator.
++ */
+ linux_proc_init(td, td, 0);
++
++ /*
++ * Create a transient td_emuldata for all suspended
++ * threads, so that p->p_sysent->sv_thread_detach() ==
++ * linux_thread_detach() can find expected but unused
++ * emuldata.
++ */
++ FOREACH_THREAD_IN_PROC(td->td_proc, othertd) {
++ if (othertd != td) {
++ linux_proc_init(td, othertd,
++ LINUX_CLONE_THREAD);
++ }
++ }
++ }
+ #if defined(__amd64__)
+ /*
+ * An IA32 executable which has executable stack will have the
Added: head/share/security/patches/EN-20:17/linuxthread.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-20:17/linuxthread.patch.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9Py7tfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLxQw/9HUXUeCz5XHIK6qL0yaGIDQh2QOlLXiHSf+5EvGOv+xFsP+IFFwWLNCud
+D5LCquLDcFOAxb2PZOZ8Of2zUtmiFGi2rly+aw//pNMiRzbI/wGfwvcr2iwleP0P
+DBn0PDJzOJO87FzjdPnm3p8GqlndCkb2YEDzVDCzA29uTyXbNSB38fj5W+Nqg/H3
+ouxl9NEcN5q8cdUn2//F6DX/NKKoQ+KUR5ImAm5VPDDzs+i3U7uIGO/o1B1iZd1+
+EvSLRDmaB58xmqbhudbb//gzJycD8OAv0djxjjfsYhR2yr1sKWi0+lM22QFvSPGY
+2PC4692pzOySX2sDf9qdVk2ljv8ab498Kkeo1fUtSTNIjwei2OjYsRYq5nmRfb0Q
+2pKHOb80NfQTMIZ6nQHNi6AQ9T/Jezp14VlCeMzkIWQ9o8Lez6W3fxy+59Ir+tQh
+CsWXIoTPXO9RjHkqQ8jw2F0qjI77dFxpN1hixi/3Wn5KA+3BkLidcCoXiejkR9jy
+FnmAAWjS97TIpLMMwScmA5X83wNpylX1Y+/69NNxw6IiJvNN4KhLWAj2V4l0OSrZ
+IJlBReeEJk0wL5z6JQyJ4XB6zTDjBb3Cx9grmDH6CPssLsDlcrJGyICpawXPLOeg
+aLg8h1bgD8YlMVxyxUgqpPGaCDwY1pRale8+mYbWFUWfGcCll5U=
+=InXC
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-20:18/getfsstat.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-20:18/getfsstat.patch Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,11 @@
+--- sys/kern/vfs_syscalls.c.orig
++++ sys/kern/vfs_syscalls.c
+@@ -409,6 +409,8 @@
+ case MNT_NOWAIT:
+ break;
+ default:
++ if (bufseg == UIO_SYSSPACE)
++ *buf = NULL;
+ return (EINVAL);
+ }
+ restart:
Added: head/share/security/patches/EN-20:18/getfsstat.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-20:18/getfsstat.patch.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9Py7tfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cISgA/7Bc4uiJyULvRciFN5W7X1aNFKjFtBlP3LAsRVZFkAxxb5SEN9NIuMqru3
+smZ3oIPswksChJYWdGuiegvzVRPo73YinMnFZu+i064wLttnlOEJXIePfEgpvu81
+BaCtBI3iPrHroFA6LiSUPFlZUBYxl9sMucusRWOpORDPOeNVVoBm0jC282B2k6m0
+h6dPQG++ARXdoH8hBnXrZt17Lu8kK6BOQFysru8G35UCLf9jAczrzStaq9DC6rdi
+UHilIaeXKvEM10r7hos8d3wLQjpKRXcSEmcYAWgbCG8ewlSVDDhORftqZ2gv6I/P
+dqDwnwznS1ArhYWjk+RHheekbgqP89nJpaYT3rvne3wuzjX6fIDtJBEg0/v5PbOX
+VZu/5MG8M/l02j5NLghgGnqRmQjalpl4khsBBweQfht/w4eSURA219V497v6Dm0w
+cwk/+R1Nql7NY83PK3PhSvVkmjLvlRYYm47yJphWtqxZ2forwT9KSPZgcEYByd0t
+Fiw2rJCyUDXtgMPNmIYcqeX/5IUT921L1wr8VWCYdaS15qFEjU790M+moiK9j6En
+IyCsoNN6WASORwcgJGqi6kiScYQEUR+I34feox4dkfavDMrG2ll7Spzz4RZJSar/
+HF191J+feeHbMFcz7gqH6vumj8mMKrx/ARWD16OVSFIFaaF7QjA=
+=yl10
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:24/ipv6.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:24/ipv6.patch Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,37 @@
+--- sys/netinet6/ip6_input.c
++++ sys/netinet6/ip6_input.c
+@@ -402,20 +402,22 @@ VNET_SYSUNINIT(inet6, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, ip6_destroy, NULL);
+ #endif
+
+ static int
+-ip6_input_hbh(struct mbuf *m, uint32_t *plen, uint32_t *rtalert, int *off,
++ip6_input_hbh(struct mbuf **mp, uint32_t *plen, uint32_t *rtalert, int *off,
+ int *nxt, int *ours)
+ {
++ struct mbuf *m;
+ struct ip6_hdr *ip6;
+ struct ip6_hbh *hbh;
+
+- if (ip6_hopopts_input(plen, rtalert, &m, off)) {
++ if (ip6_hopopts_input(plen, rtalert, mp, off)) {
+ #if 0 /*touches NULL pointer*/
+- in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
++ in6_ifstat_inc((*mp)->m_pkthdr.rcvif, ifs6_in_discard);
+ #endif
+ goto out; /* m have already been freed */
+ }
+
+ /* adjust pointer */
++ m = *mp;
+ ip6 = mtod(m, struct ip6_hdr *);
+
+ /*
+@@ -855,7 +857,7 @@ ip6_input(struct mbuf *m)
+ */
+ plen = (u_int32_t)ntohs(ip6->ip6_plen);
+ if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
+- if (ip6_input_hbh(m, &plen, &rtalert, &off, &nxt, &ours) != 0)
++ if (ip6_input_hbh(&m, &plen, &rtalert, &off, &nxt, &ours) != 0)
+ return;
+ } else
+ nxt = ip6->ip6_nxt;
Added: head/share/security/patches/SA-20:24/ipv6.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:24/ipv6.patch.asc Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9Py7tfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIWLQ//f5XvBbodgJD5LiVh8RJwlPjdTI72UqY+YoFq2v3ELlaIL40Zpfr1WUE/
+70lPdfeX8GgKDLzvV0RA05HFYyhMD8zOY2TOglS0dEcU6gQ7z0ncPm3pmS2G8JjS
+/f8Lioqp1UbxROpW+vquj3Zls40Lkk5T2xOrhR6mNzOVSFHm3q8+ElPAEFsrfPy1
+KZEM3CefIEgngED9m5bUsICnuIIdyiOZW+zx+3NnJEzwL4laS7KKzzplzibBtogq
+2qx6tDnIatRUJLb7ZVzayW4FAT2aRhS02JqcnL5vljtkefr50f5a+yA8lflBJm5I
++3rCJcFG89c4OOjO6e7LtyorFk7OKtdWGkHFNLlXmN9C8a6Rap9r3SW3NC/6YJHB
+7v7sZ0WHv8ECl65HnA/KCBvtdfCUEb6EqOCJW2CncmVFdBxMcCOAsAdC36Cc4yPl
+3/7HFzhrO5LoM8xbGZdYKjb+T+LgsrIyeYgGr19RfoYNqVkzxxFX8Nz+OLwbPIC3
+/MTSM0VYEelmAEsFiEV4oL6D42xYhafXSRRstQAMSijW8v4ao8KpJaz2dzbcQ2NO
+U8S9NI3kwC7lvjO+hH1n7w2nJi25Z4fTBiz6vKCOYwEEN38tis6S2YOusfPiI39z
+0C8VvWVXRHUJBqsjBZ6I74Bs5CSjRSL2YQbVyvLl82WctHrXk5Q=
+=y2VF
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:25/sctp.11.3.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:25/sctp.11.3.patch Wed Sep 2 16:53:16 2020 (r54452)
@@ -0,0 +1,305 @@
+--- sys/netinet/sctp_input.c
++++ sys/netinet/sctp_input.c
+@@ -839,7 +839,6 @@ sctp_handle_abort(struct sctp_abort_chunk *abort,
+ SCTP_TCB_LOCK(stcb);
+ atomic_subtract_int(&stcb->asoc.refcnt, 1);
+ #endif
+- SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_WAS_ABORTED);
+ (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
+ SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
+ #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
+@@ -1989,7 +1988,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
+ /* send up all the data */
+ SCTP_TCB_SEND_LOCK(stcb);
+
+- sctp_report_all_outbound(stcb, 0, 1, SCTP_SO_LOCKED);
++ sctp_report_all_outbound(stcb, 0, SCTP_SO_LOCKED);
+ for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
+ stcb->asoc.strmout[i].chunks_on_queues = 0;
+ #if defined(SCTP_DETAILED_STR_STATS)
+--- sys/netinet/sctp_output.c
++++ sys/netinet/sctp_output.c
+@@ -13159,11 +13159,10 @@ sctp_lower_sosend(struct socket *so,
+ error = EINVAL;
+ goto out;
+ }
+- SCTP_TCB_SEND_UNLOCK(stcb);
+-
+ strm = &stcb->asoc.strmout[srcv->sinfo_stream];
+ if (strm->last_msg_incomplete == 0) {
+ do_a_copy_in:
++ SCTP_TCB_SEND_UNLOCK(stcb);
+ sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error);
+ if (error) {
+ goto out;
+@@ -13189,13 +13188,11 @@ sctp_lower_sosend(struct socket *so,
+ if (srcv->sinfo_flags & SCTP_UNORDERED) {
+ SCTP_STAT_INCR(sctps_sends_with_unord);
+ }
++ sp->processing = 1;
+ TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
+ stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp, 1);
+- SCTP_TCB_SEND_UNLOCK(stcb);
+ } else {
+- SCTP_TCB_SEND_LOCK(stcb);
+ sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
+- SCTP_TCB_SEND_UNLOCK(stcb);
+ if (sp == NULL) {
+ /* ???? Huh ??? last msg is gone */
+ #ifdef INVARIANTS
+@@ -13207,7 +13204,16 @@ sctp_lower_sosend(struct socket *so,
+ goto do_a_copy_in;
+
+ }
++ if (sp->processing) {
++ SCTP_TCB_SEND_UNLOCK(stcb);
++ SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
++ error = EINVAL;
++ goto out;
++ } else {
++ sp->processing = 1;
++ }
+ }
++ SCTP_TCB_SEND_UNLOCK(stcb);
+ while (uio->uio_resid > 0) {
+ /* How much room do we have? */
+ struct mbuf *new_tail, *mm;
+@@ -13232,20 +13238,29 @@ sctp_lower_sosend(struct socket *so,
+ if (mm) {
+ sctp_m_freem(mm);
+ }
++ SCTP_TCB_SEND_LOCK(stcb);
++ if (sp != NULL) {
++ sp->processing = 0;
++ }
++ SCTP_TCB_SEND_UNLOCK(stcb);
+ goto out;
+ }
+ /* Update the mbuf and count */
+ SCTP_TCB_SEND_LOCK(stcb);
+- if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
++ if ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
++ (stcb->asoc.state & SCTP_STATE_WAS_ABORTED)) {
+ /*
+ * we need to get out. Peer probably
+ * aborted.
+ */
+ sctp_m_freem(mm);
+- if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) {
++ if (stcb->asoc.state & SCTP_STATE_WAS_ABORTED) {
+ SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
+ error = ECONNRESET;
+ }
++ if (sp != NULL) {
++ sp->processing = 0;
++ }
+ SCTP_TCB_SEND_UNLOCK(stcb);
+ goto out;
+ }
+@@ -13305,6 +13320,11 @@ sctp_lower_sosend(struct socket *so,
+ /* wait for space now */
+ if (non_blocking) {
+ /* Non-blocking io in place out */
++ SCTP_TCB_SEND_LOCK(stcb);
++ if (sp != NULL) {
++ sp->processing = 0;
++ }
++ SCTP_TCB_SEND_UNLOCK(stcb);
+ goto skip_out_eof;
+ }
+ /* What about the INIT, send it maybe */
+@@ -13428,6 +13448,11 @@ sctp_lower_sosend(struct socket *so,
+ }
+ }
+ SOCKBUF_UNLOCK(&so->so_snd);
++ SCTP_TCB_SEND_LOCK(stcb);
++ if (sp != NULL) {
++ sp->processing = 0;
++ }
++ SCTP_TCB_SEND_UNLOCK(stcb);
+ goto out_unlocked;
+ }
+
+@@ -13437,12 +13462,19 @@ sctp_lower_sosend(struct socket *so,
+ }
+ }
+ SOCKBUF_UNLOCK(&so->so_snd);
++ SCTP_TCB_SEND_LOCK(stcb);
+ if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
++ if (sp != NULL) {
++ sp->processing = 0;
++ }
++ SCTP_TCB_SEND_UNLOCK(stcb);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list