diff --git a/patches/usrsctp/.patches b/patches/usrsctp/.patches index a679b67919e29..04537a78dfef6 100644 --- a/patches/usrsctp/.patches +++ b/patches/usrsctp/.patches @@ -1,3 +1,4 @@ cherry_picking_improve_the_input_validation_and_processing_of.patch cherry_picking_clean_up_more_resources_of_an_existing_sctp.patch cherry_picking_harden_the_handling_of_outgoing_streams.patch +improve_restart_handling.patch diff --git a/patches/usrsctp/improve_restart_handling.patch b/patches/usrsctp/improve_restart_handling.patch new file mode 100644 index 0000000000000..b68646d2f2c29 --- /dev/null +++ b/patches/usrsctp/improve_restart_handling.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Tuexen +Date: Mon, 3 May 2021 02:29:58 +0200 +Subject: Improve restart handling. + +This fixes in particular a possible use after free bug reported +Anatoly Korniltsev and Taylor Brandstetter for the userland stack. + +diff --git a/usrsctplib/netinet/sctp_input.c b/usrsctplib/netinet/sctp_input.c +index 6a5bdba4264b47e10766467255dd9ebd5d135556..c36743b1fd2c3ab82cacbbf78e2e07547da2e457 100755 +--- a/usrsctplib/netinet/sctp_input.c ++++ b/usrsctplib/netinet/sctp_input.c +@@ -2015,11 +2015,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, + /* temp code */ + if (how_indx < sizeof(asoc->cookie_how)) + asoc->cookie_how[how_indx] = 12; +- sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, +- SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); +- sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, +- SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); +- ++ sctp_stop_association_timers(stcb, false); + /* notify upper layer */ + *notification = SCTP_NOTIFY_ASSOC_RESTART; + atomic_add_int(&stcb->asoc.refcnt, 1); +@@ -2054,6 +2050,10 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, + asoc->str_reset_seq_in = asoc->init_seq_number; + + asoc->advanced_peer_ack_point = asoc->last_acked_seq; ++ asoc->data_pkts_seen = 0; ++ asoc->last_data_chunk_from = NULL; ++ asoc->last_control_chunk_from = NULL; ++ asoc->last_net_cmt_send_started = NULL; + if (asoc->mapping_array) { + memset(asoc->mapping_array, 0, + asoc->mapping_array_size); +@@ -2118,6 +2118,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, + SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk); + SCTP_DECR_CHK_COUNT(); + } ++ asoc->ctrl_queue_cnt = 0; ++ asoc->str_reset = NULL; ++ asoc->stream_reset_outstanding = 0; + TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) { + TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next); + if (chk->data) { +@@ -2188,12 +2191,13 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, + return (NULL); + } + /* respond with a COOKIE-ACK */ +- sctp_stop_all_cookie_timers(stcb); +- sctp_toss_old_cookies(stcb, asoc); + sctp_send_cookie_ack(stcb); + if (how_indx < sizeof(asoc->cookie_how)) + asoc->cookie_how[how_indx] = 15; +- ++ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) && ++ (asoc->sctp_autoclose_ticks > 0)) { ++ sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); ++ } + return (stcb); + } + if (how_indx < sizeof(asoc->cookie_how))