Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 May 2014 20:21:19 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r266190 - stable/9/sys/netinet
Message-ID:  <201405152021.s4FKLJ5c086878@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: tuexen
Date: Thu May 15 20:21:19 2014
New Revision: 266190
URL: http://svnweb.freebsd.org/changeset/base/266190

Log:
  MFC r264838:
  
  Don't free an mbuf twice. This only happens in very rare error
  cases where the peer sends illegal sequencing information in
  DATA chunks for an existing association.

Modified:
  stable/9/sys/netinet/sctp_indata.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/netinet/sctp_indata.c
==============================================================================
--- stable/9/sys/netinet/sctp_indata.c	Thu May 15 20:19:33 2014	(r266189)
+++ stable/9/sys/netinet/sctp_indata.c	Thu May 15 20:21:19 2014	(r266190)
@@ -1716,6 +1716,9 @@ failed_pdapi_express_del:
 				stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_15;
 				sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
 				*abort_flag = 1;
+				if (last_chunk) {
+					*m = NULL;
+				}
 				return (0);
 			} else {
 				if (sctp_does_tsn_belong_to_reasm(asoc, control->sinfo_tsn)) {
@@ -1732,6 +1735,9 @@ failed_pdapi_express_del:
 					stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_16;
 					sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
 					*abort_flag = 1;
+					if (last_chunk) {
+						*m = NULL;
+					}
 					return (0);
 				}
 			}
@@ -1758,6 +1764,9 @@ failed_pdapi_express_del:
 					stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_17;
 					sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
 					*abort_flag = 1;
+					if (last_chunk) {
+						*m = NULL;
+					}
 					return (0);
 				}
 			}
@@ -1821,6 +1830,9 @@ failed_pdapi_express_del:
 			} else {
 				sctp_queue_data_to_stream(stcb, asoc, control, abort_flag);
 				if (*abort_flag) {
+					if (last_chunk) {
+						*m = NULL;
+					}
 					return (0);
 				}
 			}
@@ -1833,7 +1845,9 @@ failed_pdapi_express_del:
 			 * the assoc is now gone and chk was put onto the
 			 * reasm queue, which has all been freed.
 			 */
-			*m = NULL;
+			if (last_chunk) {
+				*m = NULL;
+			}
 			return (0);
 		}
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405152021.s4FKLJ5c086878>