The branch main has been updated by tuexen:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=a89481d328fd96ccbfa642e1db6d03825fa1dc6d

commit a89481d328fd96ccbfa642e1db6d03825fa1dc6d
Author:     Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2021-05-03 00:20:24 +0000
Commit:     Michael Tuexen <tue...@freebsd.org>
CommitDate: 2021-05-03 00:20:24 +0000

    sctp: improve restart handling
    
    This fixes in particular a possible use after free bug reported
    Anatoly Korniltsev and Taylor Brandstetter for the userland stack.
    
    MFC after:      3 days
---
 sys/netinet/sctp_input.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 10e1c37c6cfb..b6fe6449bc21 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1761,11 +1761,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, 
int offset,
                /* temp code */
                if (how_indx < sizeof(asoc->cookie_how))
                        asoc->cookie_how[how_indx] = 12;
-               sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net,
-                   SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
-               sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
-                   SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
-
+               sctp_stop_association_timers(stcb, false);
                /* notify upper layer */
                *notification = SCTP_NOTIFY_ASSOC_RESTART;
                atomic_add_int(&stcb->asoc.refcnt, 1);
@@ -1798,6 +1794,10 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, 
int offset,
                asoc->str_reset_seq_in = asoc->init_seq_number;
                asoc->advanced_peer_ack_point = asoc->last_acked_seq;
                asoc->send_sack = 1;
+               asoc->data_pkts_seen = 0;
+               asoc->last_data_chunk_from = NULL;
+               asoc->last_control_chunk_from = NULL;
+               asoc->last_net_cmt_send_started = NULL;
                if (asoc->mapping_array) {
                        memset(asoc->mapping_array, 0,
                            asoc->mapping_array_size);
@@ -1858,6 +1858,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, 
int offset,
                        SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
                        SCTP_DECR_CHK_COUNT();
                }
+               asoc->ctrl_queue_cnt = 0;
+               asoc->str_reset = NULL;
+               asoc->stream_reset_outstanding = 0;
                TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, 
nchk) {
                        TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
                        if (chk->data) {
@@ -1937,12 +1940,13 @@ sctp_process_cookie_existing(struct mbuf *m, int 
iphlen, int offset,
                        return (NULL);
                }
                /* respond with a COOKIE-ACK */
-               sctp_stop_all_cookie_timers(stcb);
-               sctp_toss_old_cookies(stcb, asoc);
                sctp_send_cookie_ack(stcb);
                if (how_indx < sizeof(asoc->cookie_how))
                        asoc->cookie_how[how_indx] = 15;
-
+               if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) &&
+                   (asoc->sctp_autoclose_ticks > 0)) {
+                       sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 
NULL);
+               }
                return (stcb);
        }
        if (how_indx < sizeof(asoc->cookie_how))
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"

Reply via email to