svn commit: r361469 - stable/11/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Mon May 25 20:04:10 UTC 2020
Author: tuexen
Date: Mon May 25 20:04:09 2020
New Revision: 361469
URL: https://svnweb.freebsd.org/changeset/base/361469
Log:
MFC r360869: Fix bug in PR-SCTP
Only drop DATA chunk with lower priorities as specified in RFC 7496.
This issue was found by looking at a reproducer generated by syzkaller.
Modified:
stable/11/sys/netinet/sctp_output.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netinet/sctp_output.c
==============================================================================
--- stable/11/sys/netinet/sctp_output.c Mon May 25 17:47:31 2020 (r361468)
+++ stable/11/sys/netinet/sctp_output.c Mon May 25 20:04:09 2020 (r361469)
@@ -6198,11 +6198,11 @@ sctp_prune_prsctp(struct sctp_tcb *stcb,
* This one is PR-SCTP AND buffer space
* limited type
*/
- if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
+ if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) {
/*
* Lower numbers equates to higher
* priority so if the one we are
- * looking at has a larger or equal
+ * looking at has a larger
* priority we want to drop the data
* and NOT retransmit it.
*/
@@ -6233,7 +6233,7 @@ sctp_prune_prsctp(struct sctp_tcb *stcb,
TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
/* Here we must move to the sent queue and mark */
if (PR_SCTP_BUF_ENABLED(chk->flags)) {
- if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
+ if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) {
if (chk->data) {
/*
* We release the book_size
@@ -12614,7 +12614,7 @@ sctp_lower_sosend(struct socket *so,
top = SCTP_HEADER_TO_CHAIN(i_pak);
sndlen = SCTP_HEADER_LEN(i_pak);
}
- SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zu\n",
+ SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zd\n",
(void *)addr,
sndlen);
if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
More information about the svn-src-all
mailing list