svn commit: r357829 - head/sys/netinet

Wed, 12 Feb 2020 09:03:12 -0800 

Author: tuexen
Date: Wed Feb 12 17:02:15 2020
New Revision: 357829
URL: https://svnweb.freebsd.org/changeset/base/357829

Log:
  Mark the socket as disconnected when freeing the association the first
  time.
  This issue was found by running syzkaller.
  
  MFC after:            1 week

Modified:
  head/sys/netinet/sctp_pcb.c

Modified: head/sys/netinet/sctp_pcb.c
==============================================================================
--- head/sys/netinet/sctp_pcb.c Wed Feb 12 16:10:00 2020        (r357828)
+++ head/sys/netinet/sctp_pcb.c Wed Feb 12 17:02:15 2020        (r357829)
@@ -4744,6 +4744,31 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tc
        else
                so = inp->sctp_socket;
 
+       if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
+           (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
+               /*
+                * For TCP type we need special handling when we are
+                * connected. We also include the peel'ed off ones to.
+                */
+               if (inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) {
+                       inp->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
+                       inp->sctp_flags |= SCTP_PCB_FLAGS_WAS_CONNECTED;
+                       if (so) {
+                               SOCKBUF_LOCK(&so->so_rcv);
+                               so->so_state &= ~(SS_ISCONNECTING |
+                                   SS_ISDISCONNECTING |
+                                   SS_ISCONFIRMING |
+                                   SS_ISCONNECTED);
+                               so->so_state |= SS_ISDISCONNECTED;
+                               socantrcvmore_locked(so);
+                               socantsendmore(so);
+                               sctp_sowwakeup(inp, so);
+                               sctp_sorwakeup(inp, so);
+                               SCTP_SOWAKEUP(so);
+                       }
+               }
+       }
+
        /*
         * We used timer based freeing if a reader or writer is in the way.
         * So we first check if we are actually being called from a timer,
@@ -4870,31 +4895,6 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tc
            (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE))
                /* nothing around */
                so = NULL;
-
-       if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
-           (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
-               /*
-                * For TCP type we need special handling when we are
-                * connected. We also include the peel'ed off ones to.
-                */
-               if (inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) {
-                       inp->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
-                       inp->sctp_flags |= SCTP_PCB_FLAGS_WAS_CONNECTED;
-                       if (so) {
-                               SOCKBUF_LOCK(&so->so_rcv);
-                               so->so_state &= ~(SS_ISCONNECTING |
-                                   SS_ISDISCONNECTING |
-                                   SS_ISCONFIRMING |
-                                   SS_ISCONNECTED);
-                               so->so_state |= SS_ISDISCONNECTED;
-                               socantrcvmore_locked(so);
-                               socantsendmore(so);
-                               sctp_sowwakeup(inp, so);
-                               sctp_sorwakeup(inp, so);
-                               SCTP_SOWAKEUP(so);
-                       }
-               }
-       }
 
        /*
         * Make it invalid too, that way if its about to run it will abort
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to