svn commit: r347116 - stable/12/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Sat May 4 12:49:57 UTC 2019
Author: tuexen
Date: Sat May 4 12:49:55 2019
New Revision: 347116
URL: https://svnweb.freebsd.org/changeset/base/347116
Log:
MFC r345465:
Fix a signed/unsigned bug when receiving SCTP messages.
This is joint work with rrs at .
MFC r345466:
Fox more signed unsigned issues. This time on the send path.
This is joint work with rrs@ and was found by running syzkaller.
MFC r345467:
Fix build issue for the userland stack.
Joint work with rrs at .
Modified:
stable/12/sys/netinet/sctp_output.c
stable/12/sys/netinet/sctp_structs.h
stable/12/sys/netinet/sctputil.c
stable/12/sys/netinet/sctputil.h
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_output.c
==============================================================================
--- stable/12/sys/netinet/sctp_output.c Sat May 4 12:35:12 2019 (r347115)
+++ stable/12/sys/netinet/sctp_output.c Sat May 4 12:49:55 2019 (r347116)
@@ -6813,10 +6813,10 @@ sctp_sendall_completes(void *ptr, uint32_t val SCTP_UN
}
static struct mbuf *
-sctp_copy_out_all(struct uio *uio, int len)
+sctp_copy_out_all(struct uio *uio, ssize_t len)
{
struct mbuf *ret, *at;
- int left, willcpy, cancpy, error;
+ ssize_t left, willcpy, cancpy, error;
ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA);
if (ret == NULL) {
@@ -6831,17 +6831,17 @@ sctp_copy_out_all(struct uio *uio, int len)
at = ret;
while (left > 0) {
/* Align data to the end */
- error = uiomove(mtod(at, caddr_t), willcpy, uio);
+ error = uiomove(mtod(at, caddr_t), (int)willcpy, uio);
if (error) {
err_out_now:
sctp_m_freem(at);
return (NULL);
}
- SCTP_BUF_LEN(at) = willcpy;
+ SCTP_BUF_LEN(at) = (int)willcpy;
SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
left -= willcpy;
if (left > 0) {
- SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 1, MT_DATA);
+ SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg((unsigned int)left, 0, M_WAITOK, 1, MT_DATA);
if (SCTP_BUF_NEXT(at) == NULL) {
goto err_out_now;
}
@@ -6889,7 +6889,7 @@ sctp_sendall(struct sctp_inpcb *inp, struct uio *uio,
ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
/* get length and mbuf chain */
if (uio) {
- ca->sndlen = (int)uio->uio_resid;
+ ca->sndlen = uio->uio_resid;
ca->m = sctp_copy_out_all(uio, ca->sndlen);
if (ca->m == NULL) {
SCTP_FREE(ca, SCTP_M_COPYAL);
@@ -12387,7 +12387,7 @@ sctp_copy_it_in(struct sctp_tcb *stcb,
struct sctp_sndrcvinfo *srcv,
struct uio *uio,
struct sctp_nets *net,
- int max_send_len,
+ ssize_t max_send_len,
int user_marks_eor,
int *error)
{
@@ -12533,7 +12533,7 @@ sctp_lower_sosend(struct socket *so,
struct thread *p
)
{
- unsigned int sndlen = 0, max_len;
+ ssize_t sndlen = 0, max_len;
int error, len;
struct mbuf *top = NULL;
int queue_only = 0, queue_only_for_init = 0;
@@ -12555,7 +12555,8 @@ sctp_lower_sosend(struct socket *so,
int got_all_of_the_send = 0;
int hold_tcblock = 0;
int non_blocking = 0;
- uint32_t local_add_more, local_soresv = 0;
+ uint32_t local_add_more;
+ ssize_t local_soresv = 0;
uint16_t port;
uint16_t sinfo_flags;
sctp_assoc_t sinfo_assoc_id;
@@ -12585,12 +12586,12 @@ sctp_lower_sosend(struct socket *so,
SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
return (EINVAL);
}
- sndlen = (unsigned int)uio->uio_resid;
+ sndlen = uio->uio_resid;
} else {
top = SCTP_HEADER_TO_CHAIN(i_pak);
sndlen = SCTP_HEADER_LEN(i_pak);
}
- SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n",
+ SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zu\n",
(void *)addr,
sndlen);
if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
@@ -12859,7 +12860,7 @@ sctp_lower_sosend(struct socket *so,
}
/* would we block? */
if (non_blocking) {
- uint32_t amount;
+ ssize_t amount;
if (hold_tcblock == 0) {
SCTP_TCB_LOCK(stcb);
@@ -12880,7 +12881,7 @@ sctp_lower_sosend(struct socket *so,
error = EWOULDBLOCK;
goto out_unlocked;
}
- stcb->asoc.sb_send_resv += sndlen;
+ stcb->asoc.sb_send_resv += (uint32_t)sndlen;
SCTP_TCB_UNLOCK(stcb);
hold_tcblock = 0;
} else {
@@ -12944,7 +12945,7 @@ sctp_lower_sosend(struct socket *so,
/* Are we aborting? */
if (srcv->sinfo_flags & SCTP_ABORT) {
struct mbuf *mm;
- int tot_demand, tot_out = 0, max_out;
+ ssize_t tot_demand, tot_out = 0, max_out;
SCTP_STAT_INCR(sctps_sends_with_abort);
if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
@@ -12978,7 +12979,7 @@ sctp_lower_sosend(struct socket *so,
error = EMSGSIZE;
goto out;
}
- mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAITOK, 1, MT_DATA);
+ mm = sctp_get_mbuf_for_msg((unsigned int)tot_demand, 0, M_WAITOK, 1, MT_DATA);
}
if (mm == NULL) {
SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
@@ -12998,7 +12999,7 @@ sctp_lower_sosend(struct socket *so,
ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
ph->param_length = htons((uint16_t)(sizeof(struct sctp_paramhdr) + tot_out));
ph++;
- SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr);
+ SCTP_BUF_LEN(mm) = (int)(tot_out + sizeof(struct sctp_paramhdr));
if (top == NULL) {
error = uiomove((caddr_t)ph, (int)tot_out, uio);
if (error) {
@@ -13079,7 +13080,7 @@ sctp_lower_sosend(struct socket *so,
* For non-eeor the whole message must fit in
* the socket send buffer.
*/
- local_add_more = sndlen;
+ local_add_more = (uint32_t)sndlen;
}
len = 0;
if (non_blocking) {
@@ -13229,14 +13230,14 @@ skip_preblock:
if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
(max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
- (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
+ (uio->uio_resid && (uio->uio_resid <= max_len))) {
sndout = 0;
new_tail = NULL;
if (hold_tcblock) {
SCTP_TCB_UNLOCK(stcb);
hold_tcblock = 0;
}
- mm = sctp_copy_resume(uio, max_len, user_marks_eor, &error, &sndout, &new_tail);
+ mm = sctp_copy_resume(uio, (int)max_len, user_marks_eor, &error, &sndout, &new_tail);
if ((mm == NULL) || error) {
if (mm) {
sctp_m_freem(mm);
@@ -13299,7 +13300,7 @@ skip_preblock:
SCTP_TCB_LOCK(stcb);
hold_tcblock = 1;
}
- sctp_prune_prsctp(stcb, asoc, srcv, sndlen);
+ sctp_prune_prsctp(stcb, asoc, srcv, (int)sndlen);
inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes)
max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
@@ -13421,7 +13422,7 @@ skip_preblock:
min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
- asoc, (size_t)uio->uio_resid);
+ asoc, uio->uio_resid);
}
be.error = 0;
stcb->block_entry = &be;
Modified: stable/12/sys/netinet/sctp_structs.h
==============================================================================
--- stable/12/sys/netinet/sctp_structs.h Sat May 4 12:35:12 2019 (r347115)
+++ stable/12/sys/netinet/sctp_structs.h Sat May 4 12:49:55 2019 (r347116)
@@ -166,7 +166,7 @@ struct sctp_copy_all {
struct sctp_inpcb *inp; /* ep */
struct mbuf *m;
struct sctp_sndrcvinfo sndrcv;
- int sndlen;
+ ssize_t sndlen;
int cnt_sent;
int cnt_failed;
};
Modified: stable/12/sys/netinet/sctputil.c
==============================================================================
--- stable/12/sys/netinet/sctputil.c Sat May 4 12:35:12 2019 (r347115)
+++ stable/12/sys/netinet/sctputil.c Sat May 4 12:49:55 2019 (r347116)
@@ -546,7 +546,7 @@ sctp_wakeup_log(struct sctp_tcb *stcb, uint32_t wake_c
}
void
-sctp_log_block(uint8_t from, struct sctp_association *asoc, size_t sendlen)
+sctp_log_block(uint8_t from, struct sctp_association *asoc, ssize_t sendlen)
{
#if defined(SCTP_LOCAL_TRACE_BUF)
struct sctp_cwnd_log sctp_clog;
@@ -5219,8 +5219,9 @@ sctp_sorecvmsg(struct socket *so,
*
*/
struct sctp_inpcb *inp = NULL;
- int my_len = 0;
- int cp_len = 0, error = 0;
+ ssize_t my_len = 0;
+ ssize_t cp_len = 0;
+ int error = 0;
struct sctp_queued_to_read *control = NULL, *ctl = NULL, *nxt = NULL;
struct mbuf *m = NULL;
struct sctp_tcb *stcb = NULL;
@@ -5229,7 +5230,7 @@ sctp_sorecvmsg(struct socket *so,
int out_flags = 0, in_flags = 0;
int block_allowed = 1;
uint32_t freed_so_far = 0;
- uint32_t copied_so_far = 0;
+ ssize_t copied_so_far = 0;
int in_eeor_mode = 0;
int no_rcv_needed = 0;
uint32_t rwnd_req = 0;
@@ -5573,7 +5574,7 @@ found_one:
* will go to the sctp_user_rcvd() that will not
* lock until it KNOWs it MUST send a WUP-SACK.
*/
- freed_so_far = stcb->freed_by_sorcv_sincelast;
+ freed_so_far = (uint32_t)stcb->freed_by_sorcv_sincelast;
stcb->freed_by_sorcv_sincelast = 0;
}
}
@@ -5728,8 +5729,8 @@ get_more_data:
m = control->data;
while (m) {
/* Move out all we can */
- cp_len = (int)uio->uio_resid;
- my_len = (int)SCTP_BUF_LEN(m);
+ cp_len = uio->uio_resid;
+ my_len = SCTP_BUF_LEN(m);
if (cp_len > my_len) {
/* not enough in this buf */
cp_len = my_len;
@@ -5739,7 +5740,7 @@ get_more_data:
hold_rlock = 0;
}
if (cp_len > 0)
- error = uiomove(mtod(m, char *), cp_len, uio);
+ error = uiomove(mtod(m, char *), (int)cp_len, uio);
/* re-read */
if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
goto release;
@@ -5784,7 +5785,7 @@ get_more_data:
control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBRESULT, 0);
}
copied_so_far += cp_len;
- freed_so_far += cp_len;
+ freed_so_far += (uint32_t)cp_len;
freed_so_far += MSIZE;
atomic_subtract_int(&control->length, cp_len);
control->data = sctp_m_free(m);
@@ -5824,9 +5825,9 @@ get_more_data:
}
if ((in_flags & MSG_PEEK) == 0) {
SCTP_BUF_RESV_UF(m, cp_len);
- SCTP_BUF_LEN(m) -= cp_len;
+ SCTP_BUF_LEN(m) -= (int)cp_len;
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
- sctp_sblog(&so->so_rcv, control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBFREE, cp_len);
+ sctp_sblog(&so->so_rcv, control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBFREE, (int)cp_len);
}
atomic_subtract_int(&so->so_rcv.sb_cc, cp_len);
if ((control->do_not_ref_stcb == 0) &&
@@ -5834,7 +5835,7 @@ get_more_data:
atomic_subtract_int(&stcb->asoc.sb_cc, cp_len);
}
copied_so_far += cp_len;
- freed_so_far += cp_len;
+ freed_so_far += (uint32_t)cp_len;
freed_so_far += MSIZE;
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
sctp_sblog(&so->so_rcv, control->do_not_ref_stcb ? NULL : stcb,
@@ -6062,7 +6063,7 @@ wait_some_more:
control->do_not_ref_stcb ? NULL : stcb, SCTP_LOG_SBFREE, SCTP_BUF_LEN(m));
}
sctp_sbfree(control, stcb, &so->so_rcv, m);
- freed_so_far += SCTP_BUF_LEN(m);
+ freed_so_far += (uint32_t)SCTP_BUF_LEN(m);
freed_so_far += MSIZE;
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SB_LOGGING_ENABLE) {
sctp_sblog(&so->so_rcv,
Modified: stable/12/sys/netinet/sctputil.h
==============================================================================
--- stable/12/sys/netinet/sctputil.h Sat May 4 12:35:12 2019 (r347115)
+++ stable/12/sys/netinet/sctputil.h Sat May 4 12:49:55 2019 (r347116)
@@ -367,7 +367,7 @@ void sctp_log_closing(struct sctp_inpcb *inp, struct s
void sctp_log_lock(struct sctp_inpcb *inp, struct sctp_tcb *stcb, uint8_t from);
void sctp_log_maxburst(struct sctp_tcb *stcb, struct sctp_nets *, int, int, uint8_t);
-void sctp_log_block(uint8_t, struct sctp_association *, size_t);
+void sctp_log_block(uint8_t, struct sctp_association *, ssize_t);
void sctp_log_rwnd(uint8_t, uint32_t, uint32_t, uint32_t);
void sctp_log_rwnd_set(uint8_t, uint32_t, uint32_t, uint32_t, uint32_t);
int sctp_fill_stat_log(void *, size_t *);
More information about the svn-src-all
mailing list