Two bugs:
- Locks were not being unlocked when an invalid size chunk is sent in. - When a notification comes in, we cannot use it to look up the fragment interleave stream information since its not on a stream.
This commit is contained in:
parent
aa1981c9e4
commit
f64462a8f2
@ -3938,6 +3938,8 @@ process_control_chunks:
|
||||
printf("Bad size on sack chunk .. to small\n");
|
||||
}
|
||||
#endif
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -3970,6 +3972,8 @@ process_control_chunks:
|
||||
}
|
||||
if (abort_now) {
|
||||
/* ABORT signal from sack processing */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -3996,6 +4000,8 @@ process_control_chunks:
|
||||
#endif /* SCTP_DEBUG */
|
||||
if (chk_length != sizeof(struct sctp_heartbeat_chunk)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4024,6 +4030,8 @@ process_control_chunks:
|
||||
#endif /* SCTP_DEBUG */
|
||||
if (chk_length != sizeof(struct sctp_shutdown_chunk)) {
|
||||
*offset = length;
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
return (NULL);
|
||||
|
||||
} {
|
||||
@ -4211,6 +4219,8 @@ process_control_chunks:
|
||||
/* He's alive so give him credit */
|
||||
if (chk_length != sizeof(struct sctp_ecne_chunk)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4227,6 +4237,8 @@ process_control_chunks:
|
||||
/* He's alive so give him credit */
|
||||
if (chk_length != sizeof(struct sctp_cwr_chunk)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4274,6 +4286,8 @@ process_control_chunks:
|
||||
#endif /* SCTP_DEBUG */
|
||||
if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4291,6 +4305,8 @@ process_control_chunks:
|
||||
#endif /* SCTP_DEBUG */
|
||||
if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4327,6 +4343,8 @@ process_control_chunks:
|
||||
chk_length, chunk_buf);
|
||||
if (chk_length < sizeof(struct sctp_stream_reset_tsn_req)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4359,6 +4377,8 @@ process_control_chunks:
|
||||
/* re-get it all please */
|
||||
if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
@ -4392,6 +4412,8 @@ process_control_chunks:
|
||||
if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
|
||||
(chk_length > (sizeof(struct sctp_auth_chunk) + SCTP_AUTH_DIGEST_LEN_MAX))) {
|
||||
/* Its not ours */
|
||||
if (locked_tcb)
|
||||
SCTP_TCB_UNLOCK(locked_tcb);
|
||||
*offset = length;
|
||||
return (NULL);
|
||||
}
|
||||
|
@ -4526,7 +4526,8 @@ sctp_sorecvmsg(struct socket *so,
|
||||
} else {
|
||||
in_flags = 0;
|
||||
}
|
||||
slen = uio->uio_resid;
|
||||
if (uio)
|
||||
slen = uio->uio_resid;
|
||||
/* Pull in and set up our int flags */
|
||||
if (in_flags & MSG_OOB) {
|
||||
/* Out of band's NOT supported */
|
||||
@ -4553,11 +4554,11 @@ sctp_sorecvmsg(struct socket *so,
|
||||
in_eeor_mode = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
|
||||
#ifdef SCTP_RECV_RWND_LOGGING
|
||||
sctp_misc_ints(SCTP_SORECV_ENTER,
|
||||
rwnd_req, in_eeor_mode, so->so_rcv.sb_cc, uio->uio_resid);
|
||||
rwnd_req, in_eeor_mode, so->so_rcv.sb_cc, slen);
|
||||
#endif
|
||||
#ifdef SCTP_RECV_RWND_LOGGING
|
||||
sctp_misc_ints(SCTP_SORECV_ENTERPL,
|
||||
rwnd_req, block_allowed, so->so_rcv.sb_cc, uio->uio_resid);
|
||||
rwnd_req, block_allowed, so->so_rcv.sb_cc, slen);
|
||||
#endif
|
||||
|
||||
|
||||
@ -4592,7 +4593,7 @@ restart_nosblocks:
|
||||
/* we need to wait for data */
|
||||
#ifdef SCTP_RECV_DETAIL_RWND_LOGGING
|
||||
sctp_misc_ints(SCTP_SORECV_BLOCKSA,
|
||||
0, 0, so->so_rcv.sb_cc, uio->uio_resid);
|
||||
0, 0, so->so_rcv.sb_cc, slen);
|
||||
#endif
|
||||
if ((so->so_rcv.sb_cc == 0) &&
|
||||
((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
|
||||
@ -4767,6 +4768,7 @@ restart_nosblocks:
|
||||
while (ctl) {
|
||||
if ((ctl->stcb != control->stcb) && (ctl->length) &&
|
||||
(ctl->some_taken ||
|
||||
(ctl->spec_flags & M_NOTIFICATION) ||
|
||||
((ctl->do_not_ref_stcb == 0) &&
|
||||
(ctl->stcb->asoc.strmin[ctl->sinfo_stream].delivery_started == 0)))
|
||||
) {
|
||||
@ -4782,6 +4784,7 @@ restart_nosblocks:
|
||||
(ctl->length) &&
|
||||
((ctl->some_taken) ||
|
||||
((ctl->do_not_ref_stcb == 0) &&
|
||||
- ((ctl->spec_flags & M_NOTIFICATION) == 0) &&
|
||||
(ctl->stcb->asoc.strmin[ctl->sinfo_stream].delivery_started == 0)))
|
||||
) {
|
||||
/*-
|
||||
@ -4852,7 +4855,9 @@ found_one:
|
||||
stcb->freed_by_sorcv_sincelast = 0;
|
||||
}
|
||||
}
|
||||
if (stcb && control->do_not_ref_stcb == 0) {
|
||||
if (stcb &&
|
||||
((control->spec_flags & M_NOTIFICATION) == 0) &&
|
||||
control->do_not_ref_stcb == 0) {
|
||||
stcb->asoc.strmin[control->sinfo_stream].delivery_started = 1;
|
||||
}
|
||||
/* First lets get off the sinfo and sockaddr info */
|
||||
@ -5014,7 +5019,7 @@ get_more_data:
|
||||
if ((SCTP_BUF_NEXT(m) == NULL) &&
|
||||
(control->end_added)) {
|
||||
out_flags |= MSG_EOR;
|
||||
if (control->do_not_ref_stcb == 0)
|
||||
if ((control->do_not_ref_stcb == 0) && ((control->spec_flags & M_NOTIFICATION) == 0))
|
||||
control->stcb->asoc.strmin[control->sinfo_stream].delivery_started = 0;
|
||||
}
|
||||
if (control->spec_flags & M_NOTIFICATION) {
|
||||
@ -5287,12 +5292,12 @@ wait_some_more:
|
||||
/* he aborted, or is done i.e.did a shutdown */
|
||||
out_flags |= MSG_EOR;
|
||||
if (control->pdapi_aborted) {
|
||||
if (control->do_not_ref_stcb == 0)
|
||||
if ((control->do_not_ref_stcb == 0) && ((control->spec_flags & M_NOTIFICATION) == 0))
|
||||
control->stcb->asoc.strmin[control->sinfo_stream].delivery_started = 0;
|
||||
|
||||
out_flags |= MSG_TRUNC;
|
||||
} else {
|
||||
if (control->do_not_ref_stcb == 0)
|
||||
if ((control->do_not_ref_stcb == 0) && ((control->spec_flags & M_NOTIFICATION) == 0))
|
||||
control->stcb->asoc.strmin[control->sinfo_stream].delivery_started = 0;
|
||||
}
|
||||
goto done_with_control;
|
||||
@ -5343,7 +5348,7 @@ get_more_data2:
|
||||
}
|
||||
if (control->end_added) {
|
||||
out_flags |= MSG_EOR;
|
||||
if (control->do_not_ref_stcb == 0)
|
||||
if ((control->do_not_ref_stcb == 0) && ((control->spec_flags & M_NOTIFICATION) == 0))
|
||||
control->stcb->asoc.strmin[control->sinfo_stream].delivery_started = 0;
|
||||
}
|
||||
if (control->spec_flags & M_NOTIFICATION) {
|
||||
@ -5409,7 +5414,7 @@ get_more_data2:
|
||||
out_flags |= MSG_EOR;
|
||||
if (control->pdapi_aborted) {
|
||||
out_flags |= MSG_TRUNC;
|
||||
if (control->do_not_ref_stcb == 0)
|
||||
if ((control->do_not_ref_stcb == 0) && ((control->spec_flags & M_NOTIFICATION) == 0))
|
||||
control->stcb->asoc.strmin[control->sinfo_stream].delivery_started = 0;
|
||||
}
|
||||
goto done_with_control;
|
||||
|
Loading…
x
Reference in New Issue
Block a user