Date: Thu, 7 Mar 2019 08:43:20 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344872 - head/sys/netinet Message-ID: <201903070843.x278hKMB069279@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu Mar 7 08:43:20 2019 New Revision: 344872 URL: https://svnweb.freebsd.org/changeset/base/344872 Log: After removing an entry from the stream scheduler list, set the pointers to NULL, since we are checking for it in case the element gets inserted again. This issue was found by running syzkaller. MFC after: 3 days Modified: head/sys/netinet/sctp_ss_functions.c Modified: head/sys/netinet/sctp_ss_functions.c ============================================================================== --- head/sys/netinet/sctp_ss_functions.c Thu Mar 7 04:43:08 2019 (r344871) +++ head/sys/netinet/sctp_ss_functions.c Thu Mar 7 08:43:20 2019 (r344872) @@ -78,9 +78,10 @@ sctp_ss_default_clear(struct sctp_tcb *stcb, struct sc SCTP_TCB_SEND_LOCK(stcb); } while (!TAILQ_EMPTY(&asoc->ss_data.out.wheel)) { - struct sctp_stream_out *strq = TAILQ_FIRST(&asoc->ss_data.out.wheel); + struct sctp_stream_out *strq; - TAILQ_REMOVE(&asoc->ss_data.out.wheel, TAILQ_FIRST(&asoc->ss_data.out.wheel), ss_params.rr.next_spoke); + strq = TAILQ_FIRST(&asoc->ss_data.out.wheel); + TAILQ_REMOVE(&asoc->ss_data.out.wheel, strq, ss_params.rr.next_spoke); strq->ss_params.rr.next_spoke.tqe_next = NULL; strq->ss_params.rr.next_spoke.tqe_prev = NULL; } @@ -793,12 +794,17 @@ static void sctp_ss_fcfs_clear(struct sctp_tcb *stcb, struct sctp_association *asoc, int clear_values, int holds_lock) { + struct sctp_stream_queue_pending *sp; + if (clear_values) { if (holds_lock == 0) { SCTP_TCB_SEND_LOCK(stcb); } while (!TAILQ_EMPTY(&asoc->ss_data.out.list)) { - TAILQ_REMOVE(&asoc->ss_data.out.list, TAILQ_FIRST(&asoc->ss_data.out.list), ss_next); + sp = TAILQ_FIRST(&asoc->ss_data.out.list); + TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next); + sp->ss_next.tqe_next = NULL; + sp->ss_next.tqe_prev = NULL; } if (holds_lock == 0) { SCTP_TCB_SEND_UNLOCK(stcb); @@ -861,6 +867,8 @@ sctp_ss_fcfs_remove(struct sctp_tcb *stcb, struct sctp ((sp->ss_next.tqe_next != NULL) || (sp->ss_next.tqe_prev != NULL))) { TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next); + sp->ss_next.tqe_next = NULL; + sp->ss_next.tqe_prev = NULL; } if (holds_lock == 0) { SCTP_TCB_SEND_UNLOCK(stcb);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903070843.x278hKMB069279>