The branch main has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=04ede3675e44847c3e9e4a9bd44509cdf42ed60a
commit 04ede3675e44847c3e9e4a9bd44509cdf42ed60a
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2023-05-03 18:28:46 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2023-05-03 18:28:46 +0000
sctp: only start shutdown guard timer when sending SHUTDOWN chunk
The intention is to protect a malicious peer not following the
shutdown procedures.
MFC after: 1 week
---
sys/netinet/sctp_input.c | 14 --------------
sys/netinet/sctp_output.c | 4 ----
sys/netinet/sctp_pcb.c | 1 -
sys/netinet/sctp_usrreq.c | 6 +++---
4 files changed, 3 insertions(+), 22 deletions(-)
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index fc362d091a22..5a7ed6ffde90 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1501,10 +1501,6 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen,
int offset,
SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
- if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
- stcb->sctp_ep, stcb, NULL);
- }
SCTP_STAT_INCR_GAUGE32(sctps_currestab);
sctp_stop_all_cookie_timers(stcb);
if (((stcb->sctp_ep->sctp_flags &
SCTP_PCB_FLAGS_TCPTYPE) ||
@@ -1718,10 +1714,6 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen,
int offset,
SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
}
SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
- if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
- stcb->sctp_ep, stcb, NULL);
- }
sctp_stop_all_cookie_timers(stcb);
sctp_toss_old_cookies(stcb, asoc);
sctp_send_cookie_ack(stcb);
@@ -1788,8 +1780,6 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen,
int offset,
}
if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
- stcb->sctp_ep, stcb, NULL);
} else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) {
/* move to OPEN state, if not in SHUTDOWN_SENT */
@@ -2176,10 +2166,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int
offset,
/* update current state */
SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
- if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
- stcb->sctp_ep, stcb, NULL);
- }
sctp_stop_all_cookie_timers(stcb);
SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
SCTP_STAT_INCR_GAUGE32(sctps_currestab);
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 3b9a06b72d8a..fdea88002194 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -6768,8 +6768,6 @@ sctp_sendall_iterator(struct sctp_inpcb *inp, struct
sctp_tcb *stcb, void *ptr,
atomic_subtract_int(&stcb->asoc.refcnt, 1);
goto no_chunk_output;
}
-
sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
- NULL);
}
}
}
@@ -13562,8 +13560,6 @@ dataless_eof:
error = ECONNABORTED;
goto out;
}
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
stcb->sctp_ep, stcb,
- NULL);
sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
}
}
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 7567764bfd72..4e97dc4e7ad3 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -3461,7 +3461,6 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate,
int from)
} else {
/* mark into shutdown pending */
SCTP_ADD_SUBSTATE(stcb,
SCTP_STATE_SHUTDOWN_PENDING);
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
stcb->sctp_ep, stcb, NULL);
if
((*stcb->asoc.ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb,
&stcb->asoc)) {
SCTP_ADD_SUBSTATE(stcb,
SCTP_STATE_PARTIAL_MSG_LEFT);
}
diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 6e17545c9a3b..917d301a85dc 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -736,7 +736,7 @@ sctp_disconnect(struct socket *so)
stcb->sctp_ep, stcb, netp);
sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
stcb->sctp_ep, stcb, NULL);
- sctp_chunk_output(stcb->sctp_ep, stcb,
SCTP_OUTPUT_FROM_T3, SCTP_SO_LOCKED);
+ sctp_chunk_output(stcb->sctp_ep, stcb,
SCTP_OUTPUT_FROM_CLOSING, SCTP_SO_LOCKED);
}
} else {
/*
@@ -750,7 +750,6 @@ sctp_disconnect(struct socket *so)
* and move to SHUTDOWN-PENDING
*/
SCTP_ADD_SUBSTATE(stcb,
SCTP_STATE_SHUTDOWN_PENDING);
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
stcb->sctp_ep, stcb, NULL);
if
((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
SCTP_ADD_SUBSTATE(stcb,
SCTP_STATE_PARTIAL_MSG_LEFT);
}
@@ -933,6 +932,8 @@ sctp_shutdown(struct socket *so)
sctp_send_shutdown(stcb, netp);
sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
stcb->sctp_ep, stcb, netp);
+ sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
+ stcb->sctp_ep, stcb, NULL);
} else {
/*
* We still got (or just got) data to send, so set
@@ -957,7 +958,6 @@ sctp_shutdown(struct socket *so)
return (0);
}
}
- sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep,
stcb, NULL);
/*
* XXX: Why do this in the case where we have still data
* queued?
