The branch stable/13 has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1ceefa271e5759a1888cb6d153b85642bdf85984
commit 1ceefa271e5759a1888cb6d153b85642bdf85984
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2021-05-12 21:02:31 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2021-06-07 09:01:28 +0000
sctp: fix another locking bug in COOKIE handling
Thanks to Tolya Korniltsev for reporting the issue for
the userland stack and testing the fix.
(cherry picked from commit eec6aed5b8c848841ae8d25940e0a333e5039ce9)
---
sys/netinet/sctp_input.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index f066cc100ac2..442e58afd0ff 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1752,17 +1752,23 @@ sctp_process_cookie_existing(struct mbuf *m, int
iphlen, int offset,
struct sctpasochead *head;
if (asoc->peer_supports_nat) {
+ struct sctp_tcb *local_stcb;
+
/*
* This is a gross gross hack. Just call the
* cookie_new code since we are allowing a duplicate
* association. I hope this works...
*/
- return (sctp_process_cookie_new(m, iphlen, offset, src,
dst,
+ local_stcb = sctp_process_cookie_new(m, iphlen, offset,
src, dst,
sh, cookie, cookie_len,
inp, netp, init_src, notification,
auth_skipped, auth_offset, auth_len,
mflowtype, mflowid,
- vrf_id, port));
+ vrf_id, port);
+ if (local_stcb == NULL) {
+ SCTP_TCB_UNLOCK(stcb);
+ }
+ return (local_stcb);
}
/*
* case A in Section 5.2.4 Table 2: XXMM (peer restarted)
_______________________________________________
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
