diff options
| author | Michael Tuexen <tuexen@FreeBSD.org> | 2022-05-29 18:40:30 +0000 |
|---|---|---|
| committer | Michael Tuexen <tuexen@FreeBSD.org> | 2022-05-29 18:40:30 +0000 |
| commit | a6a596e102be19141d042813e7411c9d931663c7 (patch) | |
| tree | b201b66ea467c59a3ceb203a3c0a6b86a3215e0b /sys/netinet/sctp_usrreq.c | |
| parent | 245b056556e61792ae3cb21fd61e9b2ce362f4b9 (diff) | |
| download | src-a6a596e102be19141d042813e7411c9d931663c7.tar.gz src-a6a596e102be19141d042813e7411c9d931663c7.zip | |
sctp: improve handling of listen() call
Fail the listen() call for 1-to-1 style sockets when the SCTP
association has been shutdown or aborted.
Reported by: syzbot+6c484f116b9dc88f7db1@syzkaller.appspotmail.com
MFC after: 3 days
Diffstat (limited to 'sys/netinet/sctp_usrreq.c')
| -rw-r--r-- | sys/netinet/sctp_usrreq.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index 05820f2b2859..caa763f28c8a 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -7221,6 +7221,15 @@ sctp_listen(struct socket *so, int backlog, struct thread *p) SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error); goto out; } + if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && + ((inp->sctp_flags & SCTP_PCB_FLAGS_WAS_CONNECTED) || + (inp->sctp_flags & SCTP_PCB_FLAGS_WAS_ABORTED))) { + SOCK_UNLOCK(so); + solisten_proto_abort(so); + error = EINVAL; + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error); + goto out; + } if (inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) { if ((error = sctp_inpcb_bind_locked(inp, NULL, NULL, p))) { SOCK_UNLOCK(so); |