diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index 5da86ff564be..a7b8e7f7978c 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -535,7 +535,7 @@ sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, struct sockaddr_storage store; struct sockaddr_in *sin; struct sockaddr_in6 *sin6; - struct sctp_nets *r_net; + struct sctp_nets *r_net, *f_net; struct timeval tv; int req_prim = 0; @@ -581,16 +581,16 @@ sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, stcb->asoc.primary_destination = r_net; r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; - r_net = TAILQ_FIRST(&stcb->asoc.nets); - if (r_net != stcb->asoc.primary_destination) { + f_net = TAILQ_FIRST(&stcb->asoc.nets); + if (f_net != r_net) { /* * first one on the list is NOT the primary * sctp_cmpaddr() is much more efficent if * the primary is the first on the list, * make it so. */ - TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); - TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); + TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next); + TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next); } req_prim = 1; } @@ -4685,14 +4685,14 @@ __attribute__((noinline)) SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n"); SCTP_STAT_INCR(sctps_recvsacks); - if ((stcb->asoc.sctp_nr_sack_on_off == 0) || - (stcb->asoc.peer_supports_nr_sack == 0)) { - goto unknown_chunk; - } if (stcb == NULL) { SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing NR-SACK chunk\n"); break; } + if ((stcb->asoc.sctp_nr_sack_on_off == 0) || + (stcb->asoc.peer_supports_nr_sack == 0)) { + goto unknown_chunk; + } if (chk_length < sizeof(struct sctp_nr_sack_chunk)) { SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR-SACK chunk, too small\n"); break; diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c index a9d00b8372a1..87b914375d3d 100644 --- a/sys/netinet/sctp_output.c +++ b/sys/netinet/sctp_output.c @@ -9840,9 +9840,12 @@ send_forward_tsn(struct sctp_tcb *stcb, at = TAILQ_FIRST(&asoc->sent_queue); for (i = 0; i < cnt_of_skipped; i++) { tp1 = TAILQ_NEXT(at, sctp_next); + if (tp1 == NULL) { + break; + } at = tp1; } - if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) { + if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) { sctp_misc_ints(SCTP_FWD_TSN_CHECK, 0xff, cnt_of_skipped, at->rec.data.TSN_seq, asoc->advanced_peer_ack_point); @@ -9852,7 +9855,8 @@ send_forward_tsn(struct sctp_tcb *stcb, * last now points to last one I can report, update * peer ack point */ - advance_peer_ack_point = last->rec.data.TSN_seq; + if (last) + advance_peer_ack_point = last->rec.data.TSN_seq; space_needed = sizeof(struct sctp_forward_tsn_chunk) + cnt_of_skipped * sizeof(struct sctp_strseq); } @@ -9885,6 +9889,8 @@ send_forward_tsn(struct sctp_tcb *stcb, at = TAILQ_FIRST(&asoc->sent_queue); for (i = 0; i < cnt_of_skipped; i++) { tp1 = TAILQ_NEXT(at, sctp_next); + if (tp1 == NULL) + break; if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) { /* We don't report these */ i--; @@ -10560,7 +10566,8 @@ sctp_send_shutdown_complete2(struct mbuf *m, int iphlen, struct sctphdr *sh, udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)); udp->uh_dport = port; udp->uh_ulen = htons(sizeof(struct sctp_shutdown_complete_msg) + sizeof(struct udphdr)); - udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP)); + if (iph_out) + udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP)); offset_out += sizeof(struct udphdr); comp_cp = (struct sctp_shutdown_complete_msg *)((caddr_t)comp_cp + sizeof(struct udphdr)); } diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index dd469cb90b33..de18c2e203b7 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -517,7 +517,7 @@ sctp_add_addr_to_vrf(uint32_t vrf_id, void *ifn, uint32_t ifn_index, sizeof(struct sctp_ifn), SCTP_M_IFN); if (sctp_ifnp == NULL) { #ifdef INVARIANTS - panic("No memory for IFN:%u", sctp_ifnp->ifn_index); + panic("No memory for IFN"); #endif return (NULL); } @@ -5902,7 +5902,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, } #endif default: - sa = NULL; + return (-1); break; } } else { diff --git a/sys/netinet/sctp_timer.c b/sys/netinet/sctp_timer.c index e2bd5bb5f566..1e0b771708c3 100644 --- a/sys/netinet/sctp_timer.c +++ b/sys/netinet/sctp_timer.c @@ -482,6 +482,9 @@ sctp_find_alternate_net(struct sctp_tcb *stcb, if (mnet == NULL) { mnet = TAILQ_FIRST(&stcb->asoc.nets); + if (mnet == NULL) { + return (NULL); + } } do { alt = TAILQ_NEXT(mnet, sctp_next); @@ -491,6 +494,9 @@ sctp_find_alternate_net(struct sctp_tcb *stcb, break; } alt = TAILQ_FIRST(&stcb->asoc.nets); + if (alt == NULL) { + return (NULL); + } } if (alt->ro.ro_rt == NULL) { if (alt->ro._s_addr) { @@ -517,6 +523,9 @@ sctp_find_alternate_net(struct sctp_tcb *stcb, once = 0; mnet = net; do { + if (mnet == NULL) { + return (TAILQ_FIRST(&stcb->asoc.nets)); + } alt = TAILQ_NEXT(mnet, sctp_next); if (alt == NULL) { once++; diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c index 95bbe3621172..b09fe7ec72b2 100644 --- a/sys/netinet/sctputil.c +++ b/sys/netinet/sctputil.c @@ -340,7 +340,7 @@ sctp_log_lock(struct sctp_inpcb *inp, struct sctp_tcb *stcb, uint8_t from) sctp_clog.x.lock.create_lock = SCTP_LOCK_UNKNOWN; } sctp_clog.x.lock.info_lock = rw_wowned(&SCTP_BASE_INFO(ipi_ep_mtx)); - if (inp->sctp_socket) { + if (inp && (inp->sctp_socket)) { sctp_clog.x.lock.sock_lock = mtx_owned(&(inp->sctp_socket->so_rcv.sb_mtx)); sctp_clog.x.lock.sockrcvbuf_lock = mtx_owned(&(inp->sctp_socket->so_rcv.sb_mtx)); sctp_clog.x.lock.socksndbuf_lock = mtx_owned(&(inp->sctp_socket->so_snd.sb_mtx)); @@ -4211,7 +4211,7 @@ void sctp_print_address_pkt(struct ip *iph, struct sctphdr *sh) { switch (iph->ip_v) { - case IPVERSION: + case IPVERSION: { struct sockaddr_in lsa, fsa; @@ -5704,7 +5704,9 @@ sctp_sorecvmsg(struct socket *so, if ((SCTP_BUF_NEXT(m) == NULL) && (control->end_added)) { out_flags |= MSG_EOR; - if ((control->do_not_ref_stcb == 0) && ((control->spec_flags & M_NOTIFICATION) == 0)) + if ((control->do_not_ref_stcb == 0) && + (control->stcb != NULL) && + ((control->spec_flags & M_NOTIFICATION) == 0)) control->stcb->asoc.strmin[control->sinfo_stream].delivery_started = 0; } if (control->spec_flags & M_NOTIFICATION) {