Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 May 2020 01:55:09 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r360738 - stable/11/sys/netinet
Message-ID:  <202005070155.0471t90p074627@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: tuexen
Date: Thu May  7 01:55:08 2020
New Revision: 360738
URL: https://svnweb.freebsd.org/changeset/base/360738

Log:
  MFC r352894: Don't use uninitialized memory.
  
  Don't use stack memory which is not initialized.
  Thanks to Mark Wodrich for reporting this issue for the userland stack in
  https://github.com/sctplab/usrsctp/issues/380
  This issue was also found for usrsctp by OSS-fuzz in
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17778

Modified:
  stable/11/sys/netinet/sctp_asconf.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/sctp_asconf.c
==============================================================================
--- stable/11/sys/netinet/sctp_asconf.c	Thu May  7 01:43:21 2020	(r360737)
+++ stable/11/sys/netinet/sctp_asconf.c	Thu May  7 01:55:08 2020	(r360738)
@@ -234,6 +234,7 @@ sctp_process_asconf_add_ip(struct sockaddr *src, struc
 		    "process_asconf_add_ip: using source addr ");
 		SCTPDBG_ADDR(SCTP_DEBUG_ASCONF1, src);
 	}
+	net = NULL;
 	/* add the address */
 	if (bad_address) {
 		m_reply = sctp_asconf_error_response(aph->correlation_id,
@@ -248,17 +249,19 @@ sctp_process_asconf_add_ip(struct sockaddr *src, struc
 		    SCTP_CAUSE_RESOURCE_SHORTAGE, (uint8_t *)aph,
 		    aparam_length);
 	} else {
-		/* notify upper layer */
-		sctp_ulp_notify(SCTP_NOTIFY_ASCONF_ADD_IP, stcb, 0, sa, SCTP_SO_NOT_LOCKED);
 		if (response_required) {
 			m_reply =
 			    sctp_asconf_success_response(aph->correlation_id);
 		}
-		sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net);
-		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
-		    stcb, net);
-		if (send_hb) {
-			sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
+		if (net != NULL) {
+			/* notify upper layer */
+			sctp_ulp_notify(SCTP_NOTIFY_ASCONF_ADD_IP, stcb, 0, sa, SCTP_SO_NOT_LOCKED);
+			sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net);
+			sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
+			    stcb, net);
+			if (send_hb) {
+				sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
+			}
 		}
 	}
 	return (m_reply);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005070155.0471t90p074627>