Skip to content

Commit 0f8d583

Browse files
tuexentuexen
committed
Improve restart handling.
This fixes in particular a possible use after free bug reported Anatoly Korniltsev and Taylor Brandstetter for the userland stack.
1 parent 338127f commit 0f8d583

File tree

1 file changed

+12
-8
lines changed

1 file changed

+12
-8
lines changed

usrsctplib/netinet/sctp_input.c

+12-8
Original file line numberDiff line numberDiff line change
@@ -1954,11 +1954,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
19541954
/* temp code */
19551955
if (how_indx < sizeof(asoc->cookie_how))
19561956
asoc->cookie_how[how_indx] = 12;
1957-
sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net,
1958-
SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1959-
sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
1960-
SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
1961-
1957+
sctp_stop_association_timers(stcb, false);
19621958
/* notify upper layer */
19631959
*notification = SCTP_NOTIFY_ASSOC_RESTART;
19641960
atomic_add_int(&stcb->asoc.refcnt, 1);
@@ -1991,6 +1987,10 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
19911987
asoc->str_reset_seq_in = asoc->init_seq_number;
19921988
asoc->advanced_peer_ack_point = asoc->last_acked_seq;
19931989
asoc->send_sack = 1;
1990+
asoc->data_pkts_seen = 0;
1991+
asoc->last_data_chunk_from = NULL;
1992+
asoc->last_control_chunk_from = NULL;
1993+
asoc->last_net_cmt_send_started = NULL;
19941994
if (asoc->mapping_array) {
19951995
memset(asoc->mapping_array, 0,
19961996
asoc->mapping_array_size);
@@ -2055,6 +2055,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
20552055
SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
20562056
SCTP_DECR_CHK_COUNT();
20572057
}
2058+
asoc->ctrl_queue_cnt = 0;
2059+
asoc->str_reset = NULL;
2060+
asoc->stream_reset_outstanding = 0;
20582061
TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
20592062
TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
20602063
if (chk->data) {
@@ -2141,12 +2144,13 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
21412144
return (NULL);
21422145
}
21432146
/* respond with a COOKIE-ACK */
2144-
sctp_stop_all_cookie_timers(stcb);
2145-
sctp_toss_old_cookies(stcb, asoc);
21462147
sctp_send_cookie_ack(stcb);
21472148
if (how_indx < sizeof(asoc->cookie_how))
21482149
asoc->cookie_how[how_indx] = 15;
2149-
2150+
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) &&
2151+
(asoc->sctp_autoclose_ticks > 0)) {
2152+
sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2153+
}
21502154
return (stcb);
21512155
}
21522156
if (how_indx < sizeof(asoc->cookie_how))

0 commit comments

Comments
 (0)