Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Jan 2021 15:44:04 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: a7aa5eea4fff - main - sctp: improve handling of aborted associations
Message-ID:  <202101011544.101Fi4AO071469@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=a7aa5eea4fff4eeab278e36af34fd8554e63dc20

commit a7aa5eea4fff4eeab278e36af34fd8554e63dc20
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2021-01-01 14:59:10 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2021-01-01 14:59:10 +0000

    sctp: improve handling of aborted associations
    
    Don't clear a flag, when the structure already has been freed.
    Reported by:    syzbot+07667d16c96779c737b4@syzkaller.appspotmail.com
---
 sys/netinet/sctp_output.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index dcd59719b6e1..d8cf063c6b53 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -13160,7 +13160,9 @@ skip_preblock:
 						sctp_m_freem(mm);
 					}
 					SCTP_TCB_SEND_LOCK(stcb);
-					if (sp != NULL) {
+					if (((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0) &&
+					    ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) == 0) &&
+					    (sp != NULL)) {
 						sp->processing = 0;
 					}
 					SCTP_TCB_SEND_UNLOCK(stcb);
@@ -13179,9 +13181,6 @@ skip_preblock:
 						SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
 						error = ECONNRESET;
 					}
-					if (sp != NULL) {
-						sp->processing = 0;
-					}
 					SCTP_TCB_SEND_UNLOCK(stcb);
 					goto out;
 				}
@@ -13372,7 +13371,9 @@ skip_preblock:
 					}
 					SOCKBUF_UNLOCK(&so->so_snd);
 					SCTP_TCB_SEND_LOCK(stcb);
-					if (sp != NULL) {
+					if (((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0) &&
+					    ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) == 0) &&
+					    (sp != NULL)) {
 						sp->processing = 0;
 					}
 					SCTP_TCB_SEND_UNLOCK(stcb);
@@ -13386,10 +13387,8 @@ skip_preblock:
 			}
 			SOCKBUF_UNLOCK(&so->so_snd);
 			SCTP_TCB_SEND_LOCK(stcb);
-			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
-				if (sp != NULL) {
-					sp->processing = 0;
-				}
+			if ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
+			    (stcb->asoc.state & SCTP_STATE_WAS_ABORTED)) {
 				SCTP_TCB_SEND_UNLOCK(stcb);
 				goto out_unlocked;
 			}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101011544.101Fi4AO071469>