Date: Mon, 6 Feb 2023 22:21:04 GMT From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 4da78e7a355e - stable/13 - sctp: improve delivery of stream reset notifications Message-ID: <202302062221.316ML4lZ060075@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=4da78e7a355e702d5cc353f06669b6ef6f43b559 commit 4da78e7a355e702d5cc353f06669b6ef6f43b559 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2023-02-02 13:46:10 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2023-02-06 22:20:32 +0000 sctp: improve delivery of stream reset notifications Two functions are not called via sctp_ulp_notify() and therefore need additional checks when being called. Reported by: syzbot+eb888d3a5a6c54413de5@syzkaller.appspotmail.com (cherry picked from commit 7b2f1a7fe9445ea318f34bd3db971076b61ef831) --- sys/netinet/sctputil.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c index 1b2ba9371021..a56120b99f47 100644 --- a/sys/netinet/sctputil.c +++ b/sys/netinet/sctputil.c @@ -3815,10 +3815,17 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb, uint16_t numberin, uint16_t struct sctp_stream_change_event *stradd; if ((stcb == NULL) || - (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || + (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { + /* If the socket is gone we are out of here. */ + return; + } + if (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT)) { /* event not enabled */ return; } + if ((stcb->asoc.peer_req_out) && flag) { /* Peer made the request, don't tell the local user */ stcb->asoc.peer_req_out = 0; @@ -3871,10 +3878,17 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb, uint32_t sending_tsn, uint32 struct sctp_assoc_reset_event *strasoc; if ((stcb == NULL) || - (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || + (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { + /* If the socket is gone we are out of here. */ + return; + } + if (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT)) { /* event not enabled */ return; } + m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA); if (m_notify == NULL) /* no space left */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302062221.316ML4lZ060075>