Date: Sat, 4 May 2019 12:49:55 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r347116 - stable/12/sys/netinet Message-ID: <201905041249.x44Cnt7K083274@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sat May 4 12:49:55 2019 New Revision: 347116 URL: https://svnweb.freebsd.org/changeset/base/347116 Log: MFC r345465: Fix a signed/unsigned bug when receiving SCTP messages. This is joint work with rrs@. MFC r345466: Fox more signed unsigned issues. This time on the send path. This is joint work with rrs@ and was found by running syzkaller. MFC r345467: Fix build issue for the userland stack. Joint work with rrs@. Modified: stable/12/sys/netinet/sctp_output.c stable/12/sys/netinet/sctp_structs.h stable/12/sys/netinet/sctputil.c stable/12/sys/netinet/sctputil.h Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/sctp_output.c ============================================================================== --- stable/12/sys/netinet/sctp_output.c Sat May 4 12:35:12 2019 (r347115) +++ stable/12/sys/netinet/sctp_output.c Sat May 4 12:49:55 2019 (r347116) @@ -6813,10 +6813,10 @@ sctp_sendall_completes(void *ptr, uint32_t val SCTP_UN } static struct mbuf * -sctp_copy_out_all(struct uio *uio, int len) +sctp_copy_out_all(struct uio *uio, ssize_t len) { struct mbuf *ret, *at; - int left, willcpy, cancpy, error; + ssize_t left, willcpy, cancpy, error; ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA); if (ret == NULL) { @@ -6831,17 +6831,17 @@ sctp_copy_out_all(struct uio *uio, int len) at = ret; while (left > 0) { /* Align data to the end */ - error = uiomove(mtod(at, caddr_t), willcpy, uio); + error = uiomove(mtod(at, caddr_t), (int)willcpy, uio); if (error) { err_out_now: sctp_m_freem(at); return (NULL); } - SCTP_BUF_LEN(at) = willcpy; + SCTP_BUF_LEN(at) = (int)willcpy; SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0; left -= willcpy; if (left > 0) { - SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 1, MT_DATA); + SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg((unsigned int)left, 0, M_WAITOK, 1, MT_DATA); if (SCTP_BUF_NEXT(at) == NULL) { goto err_out_now; } @@ -6889,7 +6889,7 @@ sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL; /* get length and mbuf chain */ if (uio) { - ca->sndlen = (int)uio->uio_resid; + ca->sndlen = uio->uio_resid; ca->m = sctp_copy_out_all(uio, ca->sndlen); if (ca->m == NULL) { SCTP_FREE(ca, SCTP_M_COPYAL); @@ -12387,7 +12387,7 @@ sctp_copy_it_in(struct sctp_tcb *stcb, struct sctp_sndrcvinfo *srcv, struct uio *uio, struct sctp_nets *net, - int max_send_len, + ssize_t max_send_len, int user_marks_eor, int *error) { @@ -12533,7 +12533,7 @@ sctp_lower_sosend(struct socket *so, struct thread *p ) { - unsigned int sndlen = 0, max_len; + ssize_t sndlen = 0, max_len; int error, len; struct mbuf *top = NULL; int queue_only = 0, queue_only_for_init = 0; @@ -12555,7 +12555,8 @@ sctp_lower_sosend(struct socket *so, int got_all_of_the_send = 0; int hold_tcblock = 0; int non_blocking = 0; - uint32_t local_add_more, local_soresv = 0; + uint32_t local_add_more; + ssize_t local_soresv = 0; uint16_t port; uint16_t sinfo_flags; sctp_assoc_t sinfo_assoc_id; @@ -12585,12 +12586,12 @@ sctp_lower_sosend(struct socket *so, SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL); return (EINVAL); } - sndlen = (unsigned int)uio->uio_resid; + sndlen = uio->uio_resid; } else { top = SCTP_HEADER_TO_CHAIN(i_pak); sndlen = SCTP_HEADER_LEN(i_pak); } - SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n", + SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zu\n", (void *)addr, sndlen); if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && @@ -12859,7 +12860,7 @@ sctp_lower_sosend(struct socket *so, } /* would we block? */ if (non_blocking) { - uint32_t amount; + ssize_t amount; if (hold_tcblock == 0) { SCTP_TCB_LOCK(stcb); @@ -12880,7 +12881,7 @@ sctp_lower_sosend(struct socket *so, error = EWOULDBLOCK; goto out_unlocked; } - stcb->asoc.sb_send_resv += sndlen; + stcb->asoc.sb_send_resv += (uint32_t)sndlen; SCTP_TCB_UNLOCK(stcb); hold_tcblock = 0; } else { @@ -12944,7 +12945,7 @@ sctp_lower_sosend(struct socket *so, /* Are we aborting? */ if (srcv->sinfo_flags & SCTP_ABORT) { struct mbuf *mm; - int tot_demand, tot_out = 0, max_out; + ssize_t tot_demand, tot_out = 0, max_out; SCTP_STAT_INCR(sctps_sends_with_abort); if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) || @@ -12978,7 +12979,7 @@ sctp_lower_sosend(struct socket *so, error = EMSGSIZE; goto out; } - mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAITOK, 1, MT_DATA); + mm = sctp_get_mbuf_for_msg((unsigned int)tot_demand, 0, M_WAITOK, 1, MT_DATA); } if (mm == NULL) { SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM); @@ -12998,7 +12999,7 @@ sctp_lower_sosend(struct socket *so, ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT); ph->param_length = htons((uint16_t)(sizeof(struct sctp_paramhdr) + tot_out)); ph++; - SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr); + SCTP_BUF_LEN(mm) = (int)(tot_out + sizeof(struct sctp_paramhdr)); if (top == NULL) { error = uiomove((caddr_t)ph, (int)tot_out, uio); if (error) { @@ -13079,7 +13080,7 @@ sctp_lower_sosend(struct socket *so, * For non-eeor the whole message must fit in * the socket send buffer. */ - local_add_more = sndlen; + local_add_more = (uint32_t)sndlen; } len = 0; if (non_blocking) { @@ -13229,14 +13230,14 @@ skip_preblock: if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) || (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) || - (uio->uio_resid && (uio->uio_resid <= (int)max_len))) { + (uio->uio_resid && (uio->uio_resid <= max_len))) { sndout = 0; new_tail = NULL; if (hold_tcblock) { SCTP_TCB_UNLOCK(stcb); hold_tcblock = 0; } - mm = sctp_copy_resume(uio, max_len, user_marks_eor, &error, &sndout, &new_tail); + mm = sctp_copy_resume(uio, (int)max_len, user_marks_eor, &error, &sndout, &new_tail); if ((mm == NULL) || error) { if (mm) { sctp_m_freem(mm); @@ -13299,7 +13300,7 @@ skip_preblock: SCTP_TCB_LOCK(stcb); hold_tcblock = 1; } - sctp_prune_prsctp(stcb, asoc, srcv, sndlen); + sctp_prune_prsctp(stcb, asoc, srcv, (int)sndlen); inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb)); if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes; @@ -13421,7 +13422,7 @@ skip_preblock: min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) { if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) { sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK, - asoc, (size_t)uio->uio_resid); + asoc, uio->uio_resid); } be.error = 0; stcb->block_entry = &be; Modified: stable/12/sys/netinet/sctp_structs.h ============================================================================== --- stable/12/sys/netinet/sctp_structs.h Sat May 4 12:35:12 2019 (r347115) +++ stable/12/sys/netinet/sctp_structs.h Sat May 4 12:49:55 2019 (r347116) @@ -166,7 +166,7 @@ struct sctp_copy_all { struct sctp_inpcb *inp; /* ep */ struct mbuf *m; struct sctp_sndrcvinfo sndrcv; - int sndlen; + ssize_t sndlen; int cnt_sent; int cnt_failed; }; Modified: stable/12/sys/netinet/sctputil.c ============================================================================== --- stable/12/sys/netinet/sctputil.c Sat May 4 12:35:12 2019 (r347115) +++ stable/12/sys/netinet/sctputil.c Sat May 4 12:49:55 2019 (r347116) @@ -546,7 +546,7 @@ sctp_wakeup_log(struct sctp_tcb *stcb, uint32_t wake_c } void -sctp_log_block(uint8_t from, struct sctp_association *asoc, size_t sendlen) +sctp_log_block(uint8_t from, struct sctp_association *asoc, ssize_t sendlen) { #if defined(SCTP_LOCAL_TRACE_BUF) struct sctp_cwnd_log sctp_clog; @@ -5219,8 +5219,9 @@ sctp_sorecvmsg(struct socket *so, * */ struct sctp_inpcb *inp = NULL; - int my_len = 0; - int cp_len = 0, error = 0; + ssize_t my_len = 0; + ssize_t cp_len = 0; + int error = 0; struct sctp_queued_to_read *control = NULL, *ctl = NULL, *nxt = NULL; struct mbuf *m = NULL; struct sctp_tcb *stcb = NULL; @@ -5229,7 +5230,7 @@ sctp_sorecvmsg(struct socket *so, int out_flags = 0, in_flags = 0; int block_allowed = 1; uint32_t freed_so_far = 0; - uint32_t copied_so_far = 0; + ssize_t copied_so_far = 0; int in_eeor_mode = 0; int no_rcv_needed = 0; uint32_t rwnd_req = 0; @@ -5573,7 +5574,7 @@ found_one: * will go to the sctp_user_rcvd() that will not * lock until it KNOWs it MUST send a WUP-SACK. */ - freed_so_far = stcb->freed_by_sorcv_sincelast; + freed_so_far = (uint32_t)stcb->freed_by_sorcv_sincelast; stcb->freed_by_sorcv_sincelast = 0; } } @@ -5728,8 +5729,8 @@ get_more_data: m = control->data; while (m) { /* Move out all we can */ - cp_len = (int)uio->uio_resid; - my_len = (int)SCTP_BUF_LEN(m); + cp_len = uio->uio_resid; + my_len = SCTP_BUF_LEN(m); if (cp_len > my_len) { /* not enough in this buf */ cp_len = my_len; @@ -5739,7 +5740,7 @@ get_more_data: hold_rlock = 0; } if (cp_len > 0) - error = uiomove(mtod(m, char *), cp_len, uio); + error = uiomove(mtod(m, char *), (int)cp_len, uio); /* re-read */ if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { goto release; @@ -5784,7 +5785,7 @@ get_more_data: control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBRESULT, 0); } copied_so_far += cp_len; - freed_so_far += cp_len; + freed_so_far += (uint32_t)cp_len; freed_so_far += MSIZE; atomic_subtract_int(&control->length, cp_len); control->data = sctp_m_free(m); @@ -5824,9 +5825,9 @@ get_more_data: } if ((in_flags & MSG_PEEK) == 0) { SCTP_BUF_RESV_UF(m, cp_len); - SCTP_BUF_LEN(m) -= cp_len; + SCTP_BUF_LEN(m) -= (int)cp_len; if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) { - sctp_sblog(&so->so_rcv, control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBFREE, cp_len); + sctp_sblog(&so->so_rcv, control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBFREE, (int)cp_len); } atomic_subtract_int(&so->so_rcv.sb_cc, cp_len); if ((control->do_not_ref_stcb == 0) && @@ -5834,7 +5835,7 @@ get_more_data: atomic_subtract_int(&stcb->asoc.sb_cc, cp_len); } copied_so_far += cp_len; - freed_so_far += cp_len; + freed_so_far += (uint32_t)cp_len; freed_so_far += MSIZE; if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) { sctp_sblog(&so->so_rcv, control->do_not_ref_stcb ? NULL : stcb, @@ -6062,7 +6063,7 @@ wait_some_more: control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBFREE, SCTP_BUF_LEN(m)); } sctp_sbfree(control, stcb, &so->so_rcv, m); - freed_so_far += SCTP_BUF_LEN(m); + freed_so_far += (uint32_t)SCTP_BUF_LEN(m); freed_so_far += MSIZE; if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) { sctp_sblog(&so->so_rcv, Modified: stable/12/sys/netinet/sctputil.h ============================================================================== --- stable/12/sys/netinet/sctputil.h Sat May 4 12:35:12 2019 (r347115) +++ stable/12/sys/netinet/sctputil.h Sat May 4 12:49:55 2019 (r347116) @@ -367,7 +367,7 @@ void sctp_log_closing(struct sctp_inpcb *inp, struct s void sctp_log_lock(struct sctp_inpcb *inp, struct sctp_tcb *stcb, uint8_t from); void sctp_log_maxburst(struct sctp_tcb *stcb, struct sctp_nets *, int, int, uint8_t); -void sctp_log_block(uint8_t, struct sctp_association *, size_t); +void sctp_log_block(uint8_t, struct sctp_association *, ssize_t); void sctp_log_rwnd(uint8_t, uint32_t, uint32_t, uint32_t); void sctp_log_rwnd_set(uint8_t, uint32_t, uint32_t, uint32_t, uint32_t); int sctp_fill_stat_log(void *, size_t *);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905041249.x44Cnt7K083274>