svn commit: r339040 - head/sys/netinet

Michael Tuexen tuexen at FreeBSD.org
Mon Oct 1 13:09:19 UTC 2018 

Author: tuexen
Date: Mon Oct  1 13:09:18 2018
New Revision: 339040
URL: https://svnweb.freebsd.org/changeset/base/339040

Log:
  After allocating chunks set the fields in a consistent way.
  This removes two assignments for the flags field being done
  twice and adds one, which was missing.
  Thanks to Felix Weinrank for reporting the issue he found
  by using fuzz testing of the userland stack.
  
  Approved by:            re (kib@)
  MFC after:              1 week

Modified:
  head/sys/netinet/sctp_output.c

Modified: head/sys/netinet/sctp_output.c
==============================================================================
--- head/sys/netinet/sctp_output.c	Mon Oct  1 10:46:00 2018	(r339039)
+++ head/sys/netinet/sctp_output.c	Mon Oct  1 13:09:18 2018	(r339040)
@@ -8975,14 +8975,15 @@ sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *
 		return;
 	}
 	chk->copy_by_ref = 0;
+	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
+	chk->rec.chunk_id.can_take_data = 0;
+	chk->flags = 0;
 	chk->send_size = (uint16_t)chunk_length;
 	chk->sent = SCTP_DATAGRAM_UNSENT;
 	chk->snd_count = 0;
 	chk->asoc = &stcb->asoc;
 	chk->data = op_err;
 	chk->whoTo = NULL;
-	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
-	chk->rec.chunk_id.can_take_data = 0;
 	hdr = mtod(op_err, struct sctp_chunkhdr *);
 	hdr->chunk_type = SCTP_OPERATION_ERROR;
 	hdr->chunk_flags = 0;
@@ -9204,7 +9205,6 @@ sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct s
 	chk->send_size = sizeof(struct sctp_chunkhdr);
 	chk->sent = SCTP_DATAGRAM_UNSENT;
 	chk->snd_count = 0;
-	chk->flags = 0;
 	chk->asoc = &stcb->asoc;
 	chk->data = m_shutdown_ack;
 	chk->whoTo = net;
@@ -9259,7 +9259,6 @@ sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_
 		chk->send_size = sizeof(struct sctp_shutdown_chunk);
 		chk->sent = SCTP_DATAGRAM_UNSENT;
 		chk->snd_count = 0;
-		chk->flags = 0;
 		chk->asoc = &stcb->asoc;
 		chk->data = m_shutdown;
 		chk->whoTo = net;
@@ -12168,7 +12167,6 @@ sctp_send_str_reset_req(struct sctp_tcb *stcb,
 	chk->book_size = sizeof(struct sctp_chunkhdr);
 	chk->send_size = SCTP_SIZE32(chk->book_size);
 	chk->book_size_scale = 0;
-
 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
 	if (chk->data == NULL) {
 		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);

More information about the svn-src-head mailing list