git: 6f930137ca6d - releng/13.0 - sctp: several fixes and improvements
Michael Tuexen
tuexen at FreeBSD.org
Tue Mar 2 18:15:47 UTC 2021
The branch releng/13.0 has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=6f930137ca6dac436d10b462a2058b5d9d975c5d
commit 6f930137ca6dac436d10b462a2058b5d9d975c5d
Author: Michael Tuexen <tuexen at FreeBSD.org>
AuthorDate: 2021-01-23 19:56:45 +0000
Commit: Michael Tuexen <tuexen at FreeBSD.org>
CommitDate: 2021-03-02 15:57:23 +0000
sctp: several fixes and improvements
Approved by: re (gjb)
sctp: improve consistency
No functional change intended.
(cherry picked from commit 7a051c0a7890dc8e490ebe125bfc70a28e89ddaf)
(cherry picked from commit 459f1b906515076b7ce30a06ab69a60891d8cbe8)
sctp: fix PR-SCTP stats when adding addtional streams
(cherry picked from commit 0f7573ffd6141b19419c9a6238246b9ba0e6dce6)
(cherry picked from commit 21398f02b0c7913f815ae6ded426da60d92c635b)
sctp: fix a locking issue for old unordered data
Thanks to Anatoly Korniltsev for reporting the issue for the
userland stack.
(cherry picked from commit 8dc6a1edca6de0c64f6c082f69097746d1346592)
(cherry picked from commit 3fa95c0fe60bbd67db6043c7e18910387bbe1bac)
sctp: improve input validation
Improve the handling of INIT chunks in specific szenarios and
report and appropriate error cause.
Thanks to Anatoly Korniltsev for reporting the issue for the
userland stack.
(cherry picked from commit af885c57d65d33c0306e91d3e090e76772a0d012)
(cherry picked from commit 16b538975024e2b7038807bf5b712124f5a7b889)
sctp: small cleanup, no functional change intended.
(cherry picked from commit bdd4630c9a9cea64830f981fc897ac953c48892c)
(cherry picked from commit 5573b94fa67f954dd0db57de328e60941ee8c9d1)
sctp: clear a pointer to a net which will be removed
(cherry picked from commit 5ac839029d01c0f48e1b1ff1a599cb47cf5e98ee)
(cherry picked from commit 04c13928d9f306a7d7ac34452644a538d2be6fdc)
sctp: improve computation of an alternate net
Espeially handle the case where the net passed in is about to
be deleted and therefore not in the list of nets anymore.
Reported by: syzbot+9756917a7c8381adf5e8 at syzkaller.appspotmail.com
(cherry picked from commit b963ce4588b33f733aef3f7a7f3fbe5018a89728)
(cherry picked from commit 8cf046aff9719779b665f7f4f4a8bad4b3945341)
sctp: avoid integer overflow when starting the HB timer
Reported by: syzbot+14b9d7c3c64208fae62f at syzkaller.appspotmail.com
(cherry picked from commit 70e95f0b6917a8b8cd4a2a5f883f3e9753fc86d8)
(cherry picked from commit f7c20120c19b6307536908a7f779be2832b133f3)
---
sys/netinet/sctp_indata.c | 2 +-
sys/netinet/sctp_input.c | 2 +-
sys/netinet/sctp_output.c | 127 ++++++++++++++++++++++++++++-----------------
sys/netinet/sctp_pcb.c | 4 ++
sys/netinet/sctp_structs.h | 32 ++++++------
sys/netinet/sctp_timer.c | 85 +++++++++++++++++-------------
sys/netinet/sctputil.c | 25 +++++----
7 files changed, 165 insertions(+), 112 deletions(-)
diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 08af27c934fb..6997a0099c88 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -803,7 +803,7 @@ restart:
}
memset(nc, 0, sizeof(struct sctp_queued_to_read));
TAILQ_REMOVE(&control->reasm, chk, sctp_next);
- sctp_add_chk_to_control(control, strm, stcb, asoc, chk, SCTP_READ_LOCK_NOT_HELD);
+ sctp_add_chk_to_control(control, strm, stcb, asoc, chk, inp_read_lock_held);
fsn++;
cnt_added++;
chk = NULL;
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 1606e4d9d1cf..43a2b06d1c79 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1871,9 +1871,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
asoc->strmout[i].abandoned_sent[0] = 0;
asoc->strmout[i].abandoned_unsent[0] = 0;
#endif
- stcb->asoc.strmout[i].sid = i;
stcb->asoc.strmout[i].next_mid_ordered = 0;
stcb->asoc.strmout[i].next_mid_unordered = 0;
+ stcb->asoc.strmout[i].sid = i;
stcb->asoc.strmout[i].last_msg_incomplete = 0;
}
TAILQ_FOREACH_SAFE(strrst, &asoc->resetHead, next_resp, nstrrst) {
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index d8cf063c6b53..0f7ade931e61 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -3629,9 +3629,8 @@ sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *er
}
for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
+ stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], NULL);
stcb->asoc.strmout[i].chunks_on_queues = 0;
- stcb->asoc.strmout[i].next_mid_ordered = 0;
- stcb->asoc.strmout[i].next_mid_unordered = 0;
#if defined(SCTP_DETAILED_STR_STATS)
for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
stcb->asoc.strmout[i].abandoned_sent[j] = 0;
@@ -3641,10 +3640,11 @@ sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *er
stcb->asoc.strmout[i].abandoned_sent[0] = 0;
stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
#endif
+ stcb->asoc.strmout[i].next_mid_ordered = 0;
+ stcb->asoc.strmout[i].next_mid_unordered = 0;
stcb->asoc.strmout[i].sid = i;
stcb->asoc.strmout[i].last_msg_incomplete = 0;
stcb->asoc.strmout[i].state = SCTP_STREAM_OPENING;
- stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], NULL);
}
}
break;
@@ -5232,31 +5232,33 @@ invalid_size:
return (op_err);
}
-static int
+/*
+ * Given a INIT chunk, look through the parameters to verify that there
+ * are no new addresses.
+ * Return true, if there is a new address or there is a problem parsing
+ the parameters. Provide an optional error cause used when sending an ABORT.
+ * Return false, if there are no new addresses and there is no problem in
+ parameter processing.
+ */
+static bool
sctp_are_there_new_addresses(struct sctp_association *asoc,
- struct mbuf *in_initpkt, int offset, struct sockaddr *src)
+ struct mbuf *in_initpkt, int offset, int limit, struct sockaddr *src,
+ struct mbuf **op_err)
{
- /*
- * Given a INIT packet, look through the packet to verify that there
- * are NO new addresses. As we go through the parameters add reports
- * of any un-understood parameters that require an error. Also we
- * must return (1) to drop the packet if we see a un-understood
- * parameter that tells us to drop the chunk.
- */
struct sockaddr *sa_touse;
struct sockaddr *sa;
struct sctp_paramhdr *phdr, params;
- uint16_t ptype, plen;
- uint8_t fnd;
struct sctp_nets *net;
- int check_src;
#ifdef INET
struct sockaddr_in sin4, *sa4;
#endif
#ifdef INET6
struct sockaddr_in6 sin6, *sa6;
#endif
+ uint16_t ptype, plen;
+ bool fnd, check_src;
+ *op_err = NULL;
#ifdef INET
memset(&sin4, 0, sizeof(sin4));
sin4.sin_family = AF_INET;
@@ -5268,19 +5270,19 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
sin6.sin6_len = sizeof(sin6);
#endif
/* First what about the src address of the pkt ? */
- check_src = 0;
+ check_src = false;
switch (src->sa_family) {
#ifdef INET
case AF_INET:
if (asoc->scope.ipv4_addr_legal) {
- check_src = 1;
+ check_src = true;
}
break;
#endif
#ifdef INET6
case AF_INET6:
if (asoc->scope.ipv6_addr_legal) {
- check_src = 1;
+ check_src = true;
}
break;
#endif
@@ -5289,7 +5291,7 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
break;
}
if (check_src) {
- fnd = 0;
+ fnd = false;
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
sa = (struct sockaddr *)&net->ro._l_addr;
if (sa->sa_family == src->sa_family) {
@@ -5300,7 +5302,7 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
sa4 = (struct sockaddr_in *)sa;
src4 = (struct sockaddr_in *)src;
if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
- fnd = 1;
+ fnd = true;
break;
}
}
@@ -5312,16 +5314,22 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
sa6 = (struct sockaddr_in6 *)sa;
src6 = (struct sockaddr_in6 *)src;
if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
- fnd = 1;
+ fnd = true;
break;
}
}
#endif
}
}
- if (fnd == 0) {
- /* New address added! no need to look further. */
- return (1);
+ if (!fnd) {
+ /*
+ * If sending an ABORT in case of an additional
+ * address, don't use the new address error cause.
+ * This looks no different than if no listener was
+ * present.
+ */
+ *op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), "Address added");
+ return (true);
}
}
/* Ok so far lets munge through the rest of the packet */
@@ -5331,6 +5339,14 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
sa_touse = NULL;
ptype = ntohs(phdr->param_type);
plen = ntohs(phdr->param_length);
+ if (offset + plen > limit) {
+ *op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Partial parameter");
+ return (true);
+ }
+ if (plen < sizeof(struct sctp_paramhdr)) {
+ *op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length too small");
+ return (true);
+ }
switch (ptype) {
#ifdef INET
case SCTP_IPV4_ADDRESS:
@@ -5338,12 +5354,14 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
struct sctp_ipv4addr_param *p4, p4_buf;
if (plen != sizeof(struct sctp_ipv4addr_param)) {
- return (1);
+ *op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length illegal");
+ return (true);
}
phdr = sctp_get_next_param(in_initpkt, offset,
(struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
if (phdr == NULL) {
- return (1);
+ *op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
+ return (true);
}
if (asoc->scope.ipv4_addr_legal) {
p4 = (struct sctp_ipv4addr_param *)phdr;
@@ -5359,12 +5377,14 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
struct sctp_ipv6addr_param *p6, p6_buf;
if (plen != sizeof(struct sctp_ipv6addr_param)) {
- return (1);
+ *op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length illegal");
+ return (true);
}
phdr = sctp_get_next_param(in_initpkt, offset,
(struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
if (phdr == NULL) {
- return (1);
+ *op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
+ return (true);
}
if (asoc->scope.ipv6_addr_legal) {
p6 = (struct sctp_ipv6addr_param *)phdr;
@@ -5381,7 +5401,7 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
}
if (sa_touse) {
/* ok, sa_touse points to one to check */
- fnd = 0;
+ fnd = false;
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
sa = (struct sockaddr *)&net->ro._l_addr;
if (sa->sa_family != sa_touse->sa_family) {
@@ -5392,7 +5412,7 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
sa4 = (struct sockaddr_in *)sa;
if (sa4->sin_addr.s_addr ==
sin4.sin_addr.s_addr) {
- fnd = 1;
+ fnd = true;
break;
}
}
@@ -5402,21 +5422,31 @@ sctp_are_there_new_addresses(struct sctp_association *asoc,
sa6 = (struct sockaddr_in6 *)sa;
if (SCTP6_ARE_ADDR_EQUAL(
sa6, &sin6)) {
- fnd = 1;
+ fnd = true;
break;
}
}
#endif
}
if (!fnd) {
- /* New addr added! no need to look further */
- return (1);
+ /*
+ * If sending an ABORT in case of an
+ * additional address, don't use the new
+ * address error cause. This looks no
+ * different than if no listener was
+ * present.
+ */
+ *op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), "Address added");
+ return (true);
}
}
offset += SCTP_SIZE32(plen);
+ if (offset >= limit) {
+ break;
+ }
phdr = sctp_get_next_param(in_initpkt, offset, ¶ms, sizeof(params));
}
- return (0);
+ return (false);
}
/*
@@ -5472,17 +5502,11 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
}
if ((asoc != NULL) &&
(SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT)) {
- if (sctp_are_there_new_addresses(asoc, init_pkt, offset, src)) {
+ if (sctp_are_there_new_addresses(asoc, init_pkt, offset, offset + ntohs(init_chk->ch.chunk_length), src, &op_err)) {
/*
* new addresses, out of here in non-cookie-wait
* states
- *
- * Send an ABORT, without the new address error
- * cause. This looks no different than if no
- * listener was present.
*/
- op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
- "Address added");
sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
mflowtype, mflowid, inp->fibnum,
vrf_id, port);
@@ -12136,18 +12160,27 @@ sctp_send_str_reset_req(struct sctp_tcb *stcb,
stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 0, 1);
for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
- stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
- stcb->asoc.strmout[i].next_mid_ordered = oldstream[i].next_mid_ordered;
- stcb->asoc.strmout[i].next_mid_unordered = oldstream[i].next_mid_unordered;
- stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
- stcb->asoc.strmout[i].sid = i;
- stcb->asoc.strmout[i].state = oldstream[i].state;
/* FIX ME FIX ME */
/*
* This should be a SS_COPY operation FIX ME STREAM
* SCHEDULER EXPERT
*/
stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], &oldstream[i]);
+ stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
+#if defined(SCTP_DETAILED_STR_STATS)
+ for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
+ stcb->asoc.strmout[i].abandoned_sent[j] = oldstream[i].abandoned_sent[j];
+ stcb->asoc.strmout[i].abandoned_unsent[j] = oldstream[i].abandoned_unsent[j];
+ }
+#else
+ stcb->asoc.strmout[i].abandoned_sent[0] = oldstream[i].abandoned_sent[0];
+ stcb->asoc.strmout[i].abandoned_unsent[0] = oldstream[i].abandoned_unsent[0];
+#endif
+ stcb->asoc.strmout[i].next_mid_ordered = oldstream[i].next_mid_ordered;
+ stcb->asoc.strmout[i].next_mid_unordered = oldstream[i].next_mid_unordered;
+ stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
+ stcb->asoc.strmout[i].sid = i;
+ stcb->asoc.strmout[i].state = oldstream[i].state;
/* now anything on those queues? */
TAILQ_FOREACH_SAFE(sp, &oldstream[i].outqueue, next, nsp) {
TAILQ_REMOVE(&oldstream[i].outqueue, sp, next);
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 2e082570cfc1..4d09ad3a7353 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -4443,6 +4443,10 @@ out:
/* Clear net */
asoc->last_control_chunk_from = NULL;
}
+ if (net == asoc->last_net_cmt_send_started) {
+ /* Clear net */
+ asoc->last_net_cmt_send_started = NULL;
+ }
if (net == stcb->asoc.alternate) {
sctp_free_remote_addr(stcb->asoc.alternate);
stcb->asoc.alternate = NULL;
diff --git a/sys/netinet/sctp_structs.h b/sys/netinet/sctp_structs.h
index 52fe30098ad7..a22dac047971 100644
--- a/sys/netinet/sctp_structs.h
+++ b/sys/netinet/sctp_structs.h
@@ -548,6 +548,20 @@ struct sctp_stream_in {
TAILQ_HEAD(sctpwheel_listhead, sctp_stream_out);
TAILQ_HEAD(sctplist_listhead, sctp_stream_queue_pending);
+/*
+ * This union holds all data necessary for
+ * different stream schedulers.
+ */
+struct scheduling_data {
+ struct sctp_stream_out *locked_on_sending;
+ /* circular looking for output selection */
+ struct sctp_stream_out *last_out_stream;
+ union {
+ struct sctpwheel_listhead wheel;
+ struct sctplist_listhead list;
+ } out;
+};
+
/* Round-robin schedulers */
struct ss_rr {
/* next link in wheel */
@@ -570,20 +584,6 @@ struct ss_fb {
int32_t rounds;
};
-/*
- * This union holds all data necessary for
- * different stream schedulers.
- */
-struct scheduling_data {
- struct sctp_stream_out *locked_on_sending;
- /* circular looking for output selection */
- struct sctp_stream_out *last_out_stream;
- union {
- struct sctpwheel_listhead wheel;
- struct sctplist_listhead list;
- } out;
-};
-
/*
* This union holds all parameters per stream
* necessary for different stream schedulers.
@@ -601,8 +601,6 @@ union scheduling_parameters {
#define SCTP_STREAM_RESET_PENDING 0x03
#define SCTP_STREAM_RESET_IN_FLIGHT 0x04
-#define SCTP_MAX_STREAMS_AT_ONCE_RESET 200
-
/* This struct is used to track the traffic on outbound streams */
struct sctp_stream_out {
struct sctp_streamhead outqueue;
@@ -627,6 +625,8 @@ struct sctp_stream_out {
uint8_t state;
};
+#define SCTP_MAX_STREAMS_AT_ONCE_RESET 200
+
/* used to keep track of the addresses yet to try to add/delete */
TAILQ_HEAD(sctp_asconf_addrhead, sctp_asconf_addr);
struct sctp_asconf_addr {
diff --git a/sys/netinet/sctp_timer.c b/sys/netinet/sctp_timer.c
index bce1f5cd166d..582abd8e8854 100644
--- a/sys/netinet/sctp_timer.c
+++ b/sys/netinet/sctp_timer.c
@@ -164,8 +164,8 @@ sctp_threshold_management(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
}
/*
- * sctp_find_alternate_net() returns a non-NULL pointer as long
- * the argument net is non-NULL.
+ * sctp_find_alternate_net() returns a non-NULL pointer as long as there
+ * exists nets, which are not being deleted.
*/
struct sctp_nets *
sctp_find_alternate_net(struct sctp_tcb *stcb,
@@ -174,14 +174,14 @@ sctp_find_alternate_net(struct sctp_tcb *stcb,
{
/* Find and return an alternate network if possible */
struct sctp_nets *alt, *mnet, *min_errors_net = NULL, *max_cwnd_net = NULL;
- int once;
+ bool looped;
/* JRS 5/14/07 - Initialize min_errors to an impossible value. */
int min_errors = -1;
uint32_t max_cwnd = 0;
if (stcb->asoc.numnets == 1) {
- /* No others but net */
+ /* No selection can be made. */
return (TAILQ_FIRST(&stcb->asoc.nets));
}
/*
@@ -328,25 +328,22 @@ sctp_find_alternate_net(struct sctp_tcb *stcb,
return (max_cwnd_net);
}
}
- mnet = net;
- once = 0;
-
- if (mnet == NULL) {
- mnet = TAILQ_FIRST(&stcb->asoc.nets);
- if (mnet == NULL) {
- return (NULL);
- }
+ /* Look for an alternate net, which is active. */
+ if ((net != NULL) && ((net->dest_state & SCTP_ADDR_BEING_DELETED) == 0)) {
+ alt = TAILQ_NEXT(net, sctp_next);;
+ } else {
+ alt = TAILQ_FIRST(&stcb->asoc.nets);
}
+ looped = false;
for (;;) {
- alt = TAILQ_NEXT(mnet, sctp_next);
if (alt == NULL) {
- once++;
- if (once > 1) {
- break;
+ if (!looped) {
+ alt = TAILQ_FIRST(&stcb->asoc.nets);
+ looped = true;
}
- alt = TAILQ_FIRST(&stcb->asoc.nets);
+ /* Definitely out of candidates. */
if (alt == NULL) {
- return (NULL);
+ break;
}
}
if (alt->ro.ro_nh == NULL) {
@@ -358,43 +355,59 @@ sctp_find_alternate_net(struct sctp_tcb *stcb,
}
if (((alt->dest_state & SCTP_ADDR_REACHABLE) == SCTP_ADDR_REACHABLE) &&
(alt->ro.ro_nh != NULL) &&
- (!(alt->dest_state & SCTP_ADDR_UNCONFIRMED))) {
- /* Found a reachable address */
+ (!(alt->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
+ (alt != net)) {
+ /* Found an alternate net, which is reachable. */
break;
}
- mnet = alt;
+ alt = TAILQ_NEXT(alt, sctp_next);
}
if (alt == NULL) {
- /* Case where NO insv network exists (dormant state) */
- /* we rotate destinations */
- once = 0;
- mnet = net;
+ /*
+ * In case no active alternate net has been found, look for
+ * an alternate net, which is confirmed.
+ */
+ if ((net != NULL) && ((net->dest_state & SCTP_ADDR_BEING_DELETED) == 0)) {
+ alt = TAILQ_NEXT(net, sctp_next);;
+ } else {
+ alt = TAILQ_FIRST(&stcb->asoc.nets);
+ }
+ looped = false;
for (;;) {
- if (mnet == NULL) {
- return (TAILQ_FIRST(&stcb->asoc.nets));
- }
- alt = TAILQ_NEXT(mnet, sctp_next);
if (alt == NULL) {
- once++;
- if (once > 1) {
- break;
+ if (!looped) {
+ alt = TAILQ_FIRST(&stcb->asoc.nets);
+ looped = true;
}
- alt = TAILQ_FIRST(&stcb->asoc.nets);
+ /* Definitely out of candidates. */
if (alt == NULL) {
break;
}
}
if ((!(alt->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
(alt != net)) {
- /* Found an alternate address */
+ /*
+ * Found an alternate net, which is
+ * confirmed.
+ */
break;
}
- mnet = alt;
+ alt = TAILQ_NEXT(alt, sctp_next);
}
}
if (alt == NULL) {
- return (net);
+ /*
+ * In case no confirmed alternate net has been found, just
+ * return net, if it is not being deleted. In the other case
+ * just return the first net.
+ */
+ if ((net != NULL) && ((net->dest_state & SCTP_ADDR_BEING_DELETED) == 0)) {
+ alt = net;
+ }
+ if (alt == NULL) {
+ alt = TAILQ_FIRST(&stcb->asoc.nets);
+ }
}
return (alt);
}
diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c
index 7772ebd57327..7ddb4c3710df 100644
--- a/sys/netinet/sctputil.c
+++ b/sys/netinet/sctputil.c
@@ -1291,9 +1291,8 @@ sctp_init_asoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
* that were dropped must be notified to the upper layer as
* failed to send.
*/
- asoc->strmout[i].next_mid_ordered = 0;
- asoc->strmout[i].next_mid_unordered = 0;
TAILQ_INIT(&asoc->strmout[i].outqueue);
+ asoc->ss_functions.sctp_ss_init_stream(stcb, &asoc->strmout[i], NULL);
asoc->strmout[i].chunks_on_queues = 0;
#if defined(SCTP_DETAILED_STR_STATS)
for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
@@ -1304,10 +1303,11 @@ sctp_init_asoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
asoc->strmout[i].abandoned_sent[0] = 0;
asoc->strmout[i].abandoned_unsent[0] = 0;
#endif
+ asoc->strmout[i].next_mid_ordered = 0;
+ asoc->strmout[i].next_mid_unordered = 0;
asoc->strmout[i].sid = i;
asoc->strmout[i].last_msg_incomplete = 0;
asoc->strmout[i].state = SCTP_STREAM_OPENING;
- asoc->ss_functions.sctp_ss_init_stream(stcb, &asoc->strmout[i], NULL);
}
asoc->ss_functions.sctp_ss_init(stcb, asoc, 0);
@@ -2032,14 +2032,13 @@ sctp_timeout_handler(void *t)
sctp_inpcb_free(inp, SCTP_FREE_SHOULD_USE_ABORT,
SCTP_CALLED_FROM_INPKILL_TIMER);
inp = NULL;
- goto out_no_decr;
+ goto out_decr;
case SCTP_TIMER_TYPE_ASOCKILL:
KASSERT(inp != NULL && stcb != NULL && net == NULL,
("timeout of type %d: inp = %p, stcb = %p, net = %p",
type, inp, stcb, net));
SCTP_STAT_INCR(sctps_timoassockill);
/* Can we free it yet? */
- SCTP_INP_DECR_REF(inp);
sctp_timer_stop(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL,
SCTP_FROM_SCTPUTIL + SCTP_LOC_1);
(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
@@ -2049,7 +2048,7 @@ sctp_timeout_handler(void *t)
* duplicate unlock or unlock of a free mtx :-0
*/
stcb = NULL;
- goto out_no_decr;
+ goto out_decr;
case SCTP_TIMER_TYPE_ADDR_WQ:
KASSERT(inp == NULL && stcb == NULL && net == NULL,
("timeout of type %d: inp = %p, stcb = %p, net = %p",
@@ -2107,7 +2106,6 @@ out_decr:
if (net != NULL) {
sctp_free_remote_addr(net);
}
-out_no_decr:
SCTPDBG(SCTP_DEBUG_TIMER2, "Timer type %d handler finished.\n", type);
CURVNET_RESTORE();
NET_EPOCH_EXIT(et);
@@ -2279,14 +2277,19 @@ sctp_timer_start(int t_type, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
}
rndval = sctp_select_initial_TSN(&inp->sctp_ep);
jitter = rndval % to_ticks;
- if (jitter >= (to_ticks >> 1)) {
- to_ticks = to_ticks + (jitter - (to_ticks >> 1));
+ to_ticks >>= 1;
+ if (jitter < (UINT32_MAX - to_ticks)) {
+ to_ticks += jitter;
} else {
- to_ticks = to_ticks - jitter;
+ to_ticks = UINT32_MAX;
}
if (!(net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
!(net->dest_state & SCTP_ADDR_PF)) {
- to_ticks += net->heart_beat_delay;
+ if (net->heart_beat_delay < (UINT32_MAX - to_ticks)) {
+ to_ticks += net->heart_beat_delay;
+ } else {
+ to_ticks = UINT32_MAX;
+ }
}
/*
* Now we must convert the to_ticks that are now in ms to
More information about the dev-commits-src-all
mailing list