From 527830f803f4b7c302d3fdc36e003b40056b2f81 Mon Sep 17 00:00:00 2001 From: tuexen Date: Mon, 22 Aug 2016 01:45:29 +0000 Subject: [PATCH] Improve the locking when sending user messages. First, keep a ref count on the stcb after looking it up, as done in the other lookup cases. Second, before looking again at sp, ensure that it is not freed, because the assoc is about to be freed. MFC after: 3 days --- sys/netinet/sctp_output.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c index 621b25ecbae8..88c0895c975b 100644 --- a/sys/netinet/sctp_output.c +++ b/sys/netinet/sctp_output.c @@ -12639,7 +12639,10 @@ sctp_lower_sosend(struct socket *so, } SCTP_INP_RUNLOCK(inp); } else if (sinfo_assoc_id) { - stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 0); + stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 1); + if (stcb != NULL) { + hold_tcblock = 1; + } } else if (addr) { /*- * Since we did not use findep we must @@ -13404,6 +13407,10 @@ sctp_lower_sosend(struct socket *so, } } SCTP_TCB_SEND_LOCK(stcb); + if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { + SCTP_TCB_SEND_UNLOCK(stcb); + goto out_unlocked; + } if (sp) { if (sp->msg_is_complete == 0) { strm->last_msg_incomplete = 1;