svn commit: r344872 - head/sys/netinet

Michael Tuexen tuexen at FreeBSD.org
Thu Mar 7 08:43:21 UTC 2019 

Author: tuexen
Date: Thu Mar  7 08:43:20 2019
New Revision: 344872
URL: https://svnweb.freebsd.org/changeset/base/344872

Log:
  After removing an entry from the stream scheduler list, set the pointers
  to NULL, since we are checking for it in case the element gets inserted
  again.
  
  This issue was found by running syzkaller.
  
  MFC after:		3 days

Modified:
  head/sys/netinet/sctp_ss_functions.c

Modified: head/sys/netinet/sctp_ss_functions.c
==============================================================================
--- head/sys/netinet/sctp_ss_functions.c	Thu Mar  7 04:43:08 2019	(r344871)
+++ head/sys/netinet/sctp_ss_functions.c	Thu Mar  7 08:43:20 2019	(r344872)
@@ -78,9 +78,10 @@ sctp_ss_default_clear(struct sctp_tcb *stcb, struct sc
 		SCTP_TCB_SEND_LOCK(stcb);
 	}
 	while (!TAILQ_EMPTY(&asoc->ss_data.out.wheel)) {
-		struct sctp_stream_out *strq = TAILQ_FIRST(&asoc->ss_data.out.wheel);
+		struct sctp_stream_out *strq;
 
-		TAILQ_REMOVE(&asoc->ss_data.out.wheel, TAILQ_FIRST(&asoc->ss_data.out.wheel), ss_params.rr.next_spoke);
+		strq = TAILQ_FIRST(&asoc->ss_data.out.wheel);
+		TAILQ_REMOVE(&asoc->ss_data.out.wheel, strq, ss_params.rr.next_spoke);
 		strq->ss_params.rr.next_spoke.tqe_next = NULL;
 		strq->ss_params.rr.next_spoke.tqe_prev = NULL;
 	}
@@ -793,12 +794,17 @@ static void
 sctp_ss_fcfs_clear(struct sctp_tcb *stcb, struct sctp_association *asoc,
     int clear_values, int holds_lock)
 {
+	struct sctp_stream_queue_pending *sp;
+
 	if (clear_values) {
 		if (holds_lock == 0) {
 			SCTP_TCB_SEND_LOCK(stcb);
 		}
 		while (!TAILQ_EMPTY(&asoc->ss_data.out.list)) {
-			TAILQ_REMOVE(&asoc->ss_data.out.list, TAILQ_FIRST(&asoc->ss_data.out.list), ss_next);
+			sp = TAILQ_FIRST(&asoc->ss_data.out.list);
+			TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next);
+			sp->ss_next.tqe_next = NULL;
+			sp->ss_next.tqe_prev = NULL;
 		}
 		if (holds_lock == 0) {
 			SCTP_TCB_SEND_UNLOCK(stcb);
@@ -861,6 +867,8 @@ sctp_ss_fcfs_remove(struct sctp_tcb *stcb, struct sctp
 	    ((sp->ss_next.tqe_next != NULL) ||
 	    (sp->ss_next.tqe_prev != NULL))) {
 		TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next);
+		sp->ss_next.tqe_next = NULL;
+		sp->ss_next.tqe_prev = NULL;
 	}
 	if (holds_lock == 0) {
 		SCTP_TCB_SEND_UNLOCK(stcb);

More information about the svn-src-all mailing list