aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@FreeBSD.org>2021-09-20 13:52:10 +0000
committerMichael Tuexen <tuexen@FreeBSD.org>2021-09-20 13:52:10 +0000
commit34b1efcea19dd4324eecd19d2de313d039fd9656 (patch)
tree87d9101639a4c7c8ef470ea120fdd18d3be4c548 /sys/netinet
parentb94d360e4aa66d626ad5a0acde683ae9a9c71729 (diff)
downloadsrc-34b1efcea19dd4324eecd19d2de313d039fd9656.tar.gz
src-34b1efcea19dd4324eecd19d2de313d039fd9656.zip
sctp: use a valid outstream when adding it to the scheduler
Without holding the stcb send lock, the outstreams might get reallocated if the number of streams are increased. Reported by: syzbot+4a5431d7caa666f2c19c@syzkaller.appspotmail.com Reported by: syzbot+aa2e3b013a48870e193d@syzkaller.appspotmail.com Reported by: syzbot+e4368c3bde07cd2fb29f@syzkaller.appspotmail.com Reported by: syzbot+fe2f110e34811ea91690@syzkaller.appspotmail.com Reported by: syzbot+ed6e8de942351d0309f4@syzkaller.appspotmail.com MFC after: 1 week
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/sctp_output.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 35a834438895..434ab7e1f8dc 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -6337,7 +6337,6 @@ sctp_msg_append(struct sctp_tcb *stcb,
error = EINVAL;
goto out_now;
}
- strm = &stcb->asoc.strmout[srcv->sinfo_stream];
/* Now can we send this? */
if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
(SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
@@ -6396,6 +6395,7 @@ sctp_msg_append(struct sctp_tcb *stcb,
if (hold_stcb_lock == 0) {
SCTP_TCB_SEND_LOCK(stcb);
}
+ strm = &stcb->asoc.strmout[srcv->sinfo_stream];
sctp_snd_sb_alloc(stcb, sp->length);
atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
@@ -13137,6 +13137,8 @@ skip_preblock:
goto out;
}
SCTP_TCB_SEND_LOCK(stcb);
+ /* The out streams might be reallocated. */
+ strm = &stcb->asoc.strmout[srcv->sinfo_stream];
if (sp->msg_is_complete) {
strm->last_msg_incomplete = 0;
asoc->stream_locked = 0;