diff options
| author | Michael Tuexen <tuexen@FreeBSD.org> | 2020-06-24 14:47:51 +0000 |
|---|---|---|
| committer | Michael Tuexen <tuexen@FreeBSD.org> | 2020-06-24 14:47:51 +0000 |
| commit | 132c073866249f08f40681e3b1eacd2f63432490 (patch) | |
| tree | 5a5263a1b3793ae92a6326849b58cf5bb375f2b1 /sys | |
| parent | 6e26dd0dbea6e240e25b9e63f31e0563317bb925 (diff) | |
| download | src-132c073866249f08f40681e3b1eacd2f63432490.tar.gz src-132c073866249f08f40681e3b1eacd2f63432490.zip | |
Fix the acconting for fragmented unordered messages when using
interleaving.
This was reported for the userland stack in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19321
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=362581
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/sctp_indata.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c index 79ae9b7bdf19..6cac99db3948 100644 --- a/sys/netinet/sctp_indata.c +++ b/sys/netinet/sctp_indata.c @@ -1111,6 +1111,16 @@ sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc, #endif SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); + if (asoc->size_on_all_streams >= control->length) { + asoc->size_on_all_streams -= control->length; + } else { +#ifdef INVARIANTS + panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); +#else + asoc->size_on_all_streams = 0; +#endif + } + sctp_ucount_decr(asoc->cnt_on_all_streams); control->on_strm_q = 0; } if (control->on_read_q == 0) { @@ -1391,7 +1401,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, } /* Must be added to the stream-in queue */ if (created_control) { - if (unordered == 0) { + if ((unordered == 0) || (asoc->idata_supported)) { sctp_ucount_incr(asoc->cnt_on_all_streams); } if (sctp_place_control_in_stream(strm, asoc, control)) { |