diff options
author | Michael Tuexen <tuexen@FreeBSD.org> | 2021-01-01 14:59:10 +0000 |
---|---|---|
committer | Michael Tuexen <tuexen@FreeBSD.org> | 2021-01-01 14:59:10 +0000 |
commit | a7aa5eea4fff4eeab278e36af34fd8554e63dc20 (patch) | |
tree | 2a4f40606ed95f30061cfb18216b1aa054751dc8 | |
parent | 543478be758fdfbf050eca5b58b7c74ba51b9175 (diff) | |
download | src-a7aa5eea4fff4eeab278e36af34fd8554e63dc20.tar.gz src-a7aa5eea4fff4eeab278e36af34fd8554e63dc20.zip |
sctp: improve handling of aborted associations
Don't clear a flag, when the structure already has been freed.
Reported by: syzbot+07667d16c96779c737b4@syzkaller.appspotmail.com
-rw-r--r-- | sys/netinet/sctp_output.c | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c index dcd59719b6e1..d8cf063c6b53 100644 --- a/sys/netinet/sctp_output.c +++ b/sys/netinet/sctp_output.c @@ -13160,7 +13160,9 @@ skip_preblock: sctp_m_freem(mm); } SCTP_TCB_SEND_LOCK(stcb); - if (sp != NULL) { + if (((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0) && + ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) == 0) && + (sp != NULL)) { sp->processing = 0; } SCTP_TCB_SEND_UNLOCK(stcb); @@ -13179,9 +13181,6 @@ skip_preblock: SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET); error = ECONNRESET; } - if (sp != NULL) { - sp->processing = 0; - } SCTP_TCB_SEND_UNLOCK(stcb); goto out; } @@ -13372,7 +13371,9 @@ skip_preblock: } SOCKBUF_UNLOCK(&so->so_snd); SCTP_TCB_SEND_LOCK(stcb); - if (sp != NULL) { + if (((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0) && + ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) == 0) && + (sp != NULL)) { sp->processing = 0; } SCTP_TCB_SEND_UNLOCK(stcb); @@ -13386,10 +13387,8 @@ skip_preblock: } SOCKBUF_UNLOCK(&so->so_snd); SCTP_TCB_SEND_LOCK(stcb); - if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { - if (sp != NULL) { - sp->processing = 0; - } + if ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) || + (stcb->asoc.state & SCTP_STATE_WAS_ABORTED)) { SCTP_TCB_SEND_UNLOCK(stcb); goto out_unlocked; } |