Date: Thu, 16 May 2019 09:13:42 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r347669 - stable/11/sys/netinet Message-ID: <201905160913.x4G9DgKF039841@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu May 16 09:13:41 2019 New Revision: 347669 URL: https://svnweb.freebsd.org/changeset/base/347669 Log: MFC r344872: After removing an entry from the stream scheduler list, set the pointers to NULL, since we are checking for it in case the element gets inserted again. This issue was found by running syzkaller. Modified: stable/11/sys/netinet/sctp_ss_functions.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctp_ss_functions.c ============================================================================== --- stable/11/sys/netinet/sctp_ss_functions.c Thu May 16 09:12:13 2019 (r347668) +++ stable/11/sys/netinet/sctp_ss_functions.c Thu May 16 09:13:41 2019 (r347669) @@ -76,9 +76,10 @@ sctp_ss_default_clear(struct sctp_tcb *stcb, struct sc SCTP_TCB_SEND_LOCK(stcb); } while (!TAILQ_EMPTY(&asoc->ss_data.out.wheel)) { - struct sctp_stream_out *strq = TAILQ_FIRST(&asoc->ss_data.out.wheel); + struct sctp_stream_out *strq; - TAILQ_REMOVE(&asoc->ss_data.out.wheel, TAILQ_FIRST(&asoc->ss_data.out.wheel), ss_params.rr.next_spoke); + strq = TAILQ_FIRST(&asoc->ss_data.out.wheel); + TAILQ_REMOVE(&asoc->ss_data.out.wheel, strq, ss_params.rr.next_spoke); strq->ss_params.rr.next_spoke.tqe_next = NULL; strq->ss_params.rr.next_spoke.tqe_prev = NULL; } @@ -791,12 +792,17 @@ static void sctp_ss_fcfs_clear(struct sctp_tcb *stcb, struct sctp_association *asoc, int clear_values, int holds_lock) { + struct sctp_stream_queue_pending *sp; + if (clear_values) { if (holds_lock == 0) { SCTP_TCB_SEND_LOCK(stcb); } while (!TAILQ_EMPTY(&asoc->ss_data.out.list)) { - TAILQ_REMOVE(&asoc->ss_data.out.list, TAILQ_FIRST(&asoc->ss_data.out.list), ss_next); + sp = TAILQ_FIRST(&asoc->ss_data.out.list); + TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next); + sp->ss_next.tqe_next = NULL; + sp->ss_next.tqe_prev = NULL; } if (holds_lock == 0) { SCTP_TCB_SEND_UNLOCK(stcb); @@ -859,6 +865,8 @@ sctp_ss_fcfs_remove(struct sctp_tcb *stcb, struct sctp ((sp->ss_next.tqe_next != NULL) || (sp->ss_next.tqe_prev != NULL))) { TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next); + sp->ss_next.tqe_next = NULL; + sp->ss_next.tqe_prev = NULL; } if (holds_lock == 0) { SCTP_TCB_SEND_UNLOCK(stcb);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905160913.x4G9DgKF039841>