Date: Fri, 9 Mar 2012 13:12:33 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r232723 - head/sys/netinet Message-ID: <201203091312.q29DCXLJ008313@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Fri Mar 9 13:12:33 2012 New Revision: 232723 URL: http://svn.freebsd.org/changeset/base/232723 Log: Fix a bug reported by Peter Holm which results in a crash: Verify in sctp_peeloff() that the socket is a one-to-many style SCTP socket. MFC after: 3 days. Modified: head/sys/netinet/sctp_peeloff.c Modified: head/sys/netinet/sctp_peeloff.c ============================================================================== --- head/sys/netinet/sctp_peeloff.c Fri Mar 9 13:06:24 2012 (r232722) +++ head/sys/netinet/sctp_peeloff.c Fri Mar 9 13:12:33 2012 (r232723) @@ -55,6 +55,15 @@ sctp_can_peel_off(struct socket *head, s struct sctp_tcb *stcb; uint32_t state; + if (head == NULL) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EBADF); + return (EBADF); + } + if ((head->so_proto->pr_protocol != IPPROTO_SCTP) || + (head->so_type != SOCK_SEQPACKET)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EOPNOTSUPP); + return (EOPNOTSUPP); + } inp = (struct sctp_inpcb *)head->so_pcb; if (inp == NULL) { SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EFAULT);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203091312.q29DCXLJ008313>