svn commit: r347668 - stable/11/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Thu May 16 09:12:15 UTC 2019
Author: tuexen
Date: Thu May 16 09:12:13 2019
New Revision: 347668
URL: https://svnweb.freebsd.org/changeset/base/347668
Log:
MFC r344742:
Allocate an assocition id and register the stcb with holding the lock.
This avoids a race where stcbs can be found, which are not completely
initialized.
This was found by running syzkaller.
Modified:
stable/11/sys/netinet/sctp_pcb.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netinet/sctp_pcb.c
==============================================================================
--- stable/11/sys/netinet/sctp_pcb.c Thu May 16 09:10:14 2019 (r347667)
+++ stable/11/sys/netinet/sctp_pcb.c Thu May 16 09:12:13 2019 (r347668)
@@ -4156,11 +4156,9 @@ sctp_aloc_a_assoc_id(struct sctp_inpcb *inp, struct sc
struct sctpasochead *head;
struct sctp_tcb *lstcb;
- SCTP_INP_WLOCK(inp);
try_again:
if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
/* TSNH */
- SCTP_INP_WUNLOCK(inp);
return (0);
}
/*
@@ -4179,8 +4177,7 @@ try_again:
head = &inp->sctp_asocidhash[SCTP_PCBHASH_ASOC(id, inp->hashasocidmark)];
LIST_INSERT_HEAD(head, stcb, sctp_tcbasocidhash);
stcb->asoc.in_asocid_hash = 1;
- SCTP_INP_WUNLOCK(inp);
- return id;
+ return (id);
}
/*
@@ -4343,7 +4340,6 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
memset(stcb, 0, sizeof(*stcb));
asoc = &stcb->asoc;
- asoc->assoc_id = sctp_aloc_a_assoc_id(inp, stcb);
SCTP_TCB_LOCK_INIT(stcb);
SCTP_TCB_SEND_LOCK_INIT(stcb);
stcb->rport = rport;
@@ -4354,7 +4350,6 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
/* failed */
SCTP_TCB_LOCK_DESTROY(stcb);
SCTP_TCB_SEND_LOCK_DESTROY(stcb);
- LIST_REMOVE(stcb, sctp_tcbasocidhash);
SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
SCTP_DECR_ASOC_COUNT();
*error = err;
@@ -4367,7 +4362,6 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
/* inpcb freed while alloc going on */
SCTP_TCB_LOCK_DESTROY(stcb);
SCTP_TCB_SEND_LOCK_DESTROY(stcb);
- LIST_REMOVE(stcb, sctp_tcbasocidhash);
SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
SCTP_INP_WUNLOCK(inp);
SCTP_INP_INFO_WUNLOCK();
@@ -4378,6 +4372,7 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
}
SCTP_TCB_LOCK(stcb);
+ asoc->assoc_id = sctp_aloc_a_assoc_id(inp, stcb);
/* now that my_vtag is set, add it to the hash */
head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
/* put it in the bucket in the vtag hash of assoc's for the system */
More information about the svn-src-all
mailing list