Author: tuexen Date: Wed Jun 24 14:47:51 2020 New Revision: 362581 URL: https://svnweb.freebsd.org/changeset/base/362581
Log: Fix the acconting for fragmented unordered messages when using interleaving. This was reported for the userland stack in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19321 MFC after: 1 week Modified: head/sys/netinet/sctp_indata.c Modified: head/sys/netinet/sctp_indata.c ============================================================================== --- head/sys/netinet/sctp_indata.c Wed Jun 24 13:52:53 2020 (r362580) +++ head/sys/netinet/sctp_indata.c Wed Jun 24 14:47:51 2020 (r362581) @@ -1111,6 +1111,16 @@ sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct #endif SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); + if (asoc->size_on_all_streams >= control->length) { + asoc->size_on_all_streams -= control->length; + } else { +#ifdef INVARIANTS + panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); +#else + asoc->size_on_all_streams = 0; +#endif + } + sctp_ucount_decr(asoc->cnt_on_all_streams); control->on_strm_q = 0; } if (control->on_read_q == 0) { @@ -1391,7 +1401,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc } /* Must be added to the stream-in queue */ if (created_control) { - if (unordered == 0) { + if ((unordered == 0) || (asoc->idata_supported)) { sctp_ucount_incr(asoc->cnt_on_all_streams); } if (sctp_place_control_in_stream(strm, asoc, control)) { _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
