Author: tuexen
Date: Sun May 10 10:03:10 2020
New Revision: 360869
URL: https://svnweb.freebsd.org/changeset/base/360869
Log:
Only drop DATA chunk with lower priorities as specified in RFC 7496.
This issue was found by looking at a reproducer generated by syzkaller.
MFC after: 3 days
Modified:
head/sys/netinet/sctp_output.c
Modified: head/sys/netinet/sctp_output.c
==============================================================================
--- head/sys/netinet/sctp_output.c Sun May 10 09:50:44 2020
(r360868)
+++ head/sys/netinet/sctp_output.c Sun May 10 10:03:10 2020
(r360869)
@@ -6199,11 +6199,11 @@ sctp_prune_prsctp(struct sctp_tcb *stcb,
* This one is PR-SCTP AND buffer space
* limited type
*/
- if (chk->rec.data.timetodrop.tv_sec >=
(long)srcv->sinfo_timetolive) {
+ if (chk->rec.data.timetodrop.tv_sec >
(long)srcv->sinfo_timetolive) {
/*
* Lower numbers equates to higher
* priority so if the one we are
- * looking at has a larger or equal
+ * looking at has a larger
* priority we want to drop the data
* and NOT retransmit it.
*/
@@ -6234,7 +6234,7 @@ sctp_prune_prsctp(struct sctp_tcb *stcb,
TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
/* Here we must move to the sent queue and mark */
if (PR_SCTP_BUF_ENABLED(chk->flags)) {
- if (chk->rec.data.timetodrop.tv_sec >=
(long)srcv->sinfo_timetolive) {
+ if (chk->rec.data.timetodrop.tv_sec >
(long)srcv->sinfo_timetolive) {
if (chk->data) {
/*
* We release the book_size
@@ -12617,7 +12617,7 @@ sctp_lower_sosend(struct socket *so,
top = SCTP_HEADER_TO_CHAIN(i_pak);
sndlen = SCTP_HEADER_LEN(i_pak);
}
- SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zu\n",
+ SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zd\n",
(void *)addr,
sndlen);
if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
