Date: Mon, 25 May 2020 20:04:10 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r361469 - stable/11/sys/netinet Message-ID: <202005252004.04PK4ALr018382@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Mon May 25 20:04:09 2020 New Revision: 361469 URL: https://svnweb.freebsd.org/changeset/base/361469 Log: MFC r360869: Fix bug in PR-SCTP Only drop DATA chunk with lower priorities as specified in RFC 7496. This issue was found by looking at a reproducer generated by syzkaller. Modified: stable/11/sys/netinet/sctp_output.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctp_output.c ============================================================================== --- stable/11/sys/netinet/sctp_output.c Mon May 25 17:47:31 2020 (r361468) +++ stable/11/sys/netinet/sctp_output.c Mon May 25 20:04:09 2020 (r361469) @@ -6198,11 +6198,11 @@ sctp_prune_prsctp(struct sctp_tcb *stcb, * This one is PR-SCTP AND buffer space * limited type */ - if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) { + if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) { /* * Lower numbers equates to higher * priority so if the one we are - * looking at has a larger or equal + * looking at has a larger * priority we want to drop the data * and NOT retransmit it. */ @@ -6233,7 +6233,7 @@ sctp_prune_prsctp(struct sctp_tcb *stcb, TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) { /* Here we must move to the sent queue and mark */ if (PR_SCTP_BUF_ENABLED(chk->flags)) { - if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) { + if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) { if (chk->data) { /* * We release the book_size @@ -12614,7 +12614,7 @@ sctp_lower_sosend(struct socket *so, top = SCTP_HEADER_TO_CHAIN(i_pak); sndlen = SCTP_HEADER_LEN(i_pak); } - SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zu\n", + SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zd\n", (void *)addr, sndlen); if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005252004.04PK4ALr018382>