diff options
author | Michael Tuexen <tuexen@FreeBSD.org> | 2021-05-12 21:02:31 +0000 |
---|---|---|
committer | Michael Tuexen <tuexen@FreeBSD.org> | 2021-05-12 21:05:28 +0000 |
commit | eec6aed5b8c848841ae8d25940e0a333e5039ce9 (patch) | |
tree | a1bb300104f4323057e5bdf36a39e36a53796564 | |
parent | e06874f3f6d1f9a737f4d6489a3de676a5cdc9ec (diff) | |
download | src-eec6aed5b8c848841ae8d25940e0a333e5039ce9.tar.gz src-eec6aed5b8c848841ae8d25940e0a333e5039ce9.zip |
sctp: fix another locking bug in COOKIE handling
Thanks to Tolya Korniltsev for reporting the issue for
the userland stack and testing the fix.
MFC after: 3 days
-rw-r--r-- | sys/netinet/sctp_input.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index f066cc100ac2..442e58afd0ff 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -1752,17 +1752,23 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, struct sctpasochead *head; if (asoc->peer_supports_nat) { + struct sctp_tcb *local_stcb; + /* * This is a gross gross hack. Just call the * cookie_new code since we are allowing a duplicate * association. I hope this works... */ - return (sctp_process_cookie_new(m, iphlen, offset, src, dst, + local_stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, sh, cookie, cookie_len, inp, netp, init_src, notification, auth_skipped, auth_offset, auth_len, mflowtype, mflowid, - vrf_id, port)); + vrf_id, port); + if (local_stcb == NULL) { + SCTP_TCB_UNLOCK(stcb); + } + return (local_stcb); } /* * case A in Section 5.2.4 Table 2: XXMM (peer restarted) |