- Incorrect error EAGAIN returned for invalid send on a locked

  stream (using EEOR mode). Changed to EINVAL (in sctp_output.c)
- Static analysis comments added
- fix in mobility code to return a value (static analysis found).
- sctp6_notify function made visible instead of
  static (this is needed for Panda).

Approved by:	re@freebsd.org (B Mah)

9 files changed, 36 insertions, 13 deletions

diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 5179e75..842aca6 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -3949,6 +3949,7 @@ sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
 							    tp1->rec.data.TSN_seq);
 						}
 						sctp_flight_size_decrease(tp1);
+						/* sa_ignore NO_NULL_CHK */
 						sctp_total_flight_decrease(stcb, tp1);
 					}
 					tp1->whoTo->net_ack += tp1->send_size;
@@ -3963,6 +3964,10 @@ sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
 						/* update RTO too? */
 						if (tp1->do_rtt) {
 							tp1->whoTo->RTO =
+							/*
+							 * sa_ignore
+							 * NO_NULL_CHK
+							 */
 							    sctp_calculate_rto(stcb,
 							    asoc, tp1->whoTo,
 							    &tp1->sent_rcv_time,
@@ -3987,6 +3992,7 @@ sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
 					tp1->whoTo->find_rtx_pseudo_cumack = 1;
 
 					if (sctp_logging_level & SCTP_CWND_LOGGING_ENABLE) {
+						/* sa_ignore NO_NULL_CHK */
 						sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.TSN_seq, SCTP_CWND_LOG_FROM_SACK);
 					}
 				}
@@ -4001,6 +4007,7 @@ sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
 				tp1->sent = SCTP_DATAGRAM_ACKED;
 				TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
 				if (tp1->data) {
+					/* sa_ignore NO_NULL_CHK */
 					sctp_free_bufspace(stcb, asoc, tp1, 1);
 					sctp_m_freem(tp1->data);
 				}
@@ -4022,6 +4029,7 @@ sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
 		}
 
 	}
+	/* sa_ignore NO_NULL_CHK */
 	if (stcb->sctp_socket) {
 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 		struct socket *so;
@@ -4030,6 +4038,7 @@ sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
 
 		SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
 		if (sctp_logging_level & SCTP_WAKE_LOGGING_ENABLE) {
+			/* sa_ignore NO_NULL_CHK */
 			sctp_wakeup_log(stcb, cumack, 1, SCTP_WAKESND_FROM_SACK);
 		}
 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
@@ -4745,6 +4754,7 @@ skip_segments:
 			asoc->total_flight = 0;
 		}
 		if (tp1->data) {
+			/* sa_ignore NO_NULL_CHK */
 			sctp_free_bufspace(stcb, asoc, tp1, 1);
 			sctp_m_freem(tp1->data);
 			if (PR_SCTP_BUF_ENABLED(tp1->flags)) {
@@ -4767,6 +4777,7 @@ skip_segments:
 	} while (tp1 != NULL);
 
 done_with_it:
+	/* sa_ignore NO_NULL_CHK */
 	if ((wake_him) && (stcb->sctp_socket)) {
 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 		struct socket *so;
@@ -5574,11 +5585,13 @@ slide_out:
 				    stseq->sequence;
 			}
 			/* now kick the stream the new way */
+			/* sa_ignore NO_NULL_CHK */
 			sctp_kick_prsctp_reorder_queue(stcb, strm);
 		}
 	}
 	if (TAILQ_FIRST(&asoc->reasmqueue)) {
 		/* now lets kick out and check for more fragmented delivery */
+		/* sa_ignore NO_NULL_CHK */
 		sctp_deliver_reasm_check(stcb, &stcb->asoc);
 	}
 }
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 4913368..aaa74b5 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -3142,6 +3142,7 @@ sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
 	}
 	asoc->ctrl_queue_cnt--;
 	sctp_free_a_chunk(stcb, chk);
+	/* sa_ignore NO_NULL_CHK */
 	stcb->asoc.str_reset = NULL;
 }
 
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 64eb825..cd51333 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -5470,8 +5470,8 @@ sctp_msg_append(struct sctp_tcb *stcb,
 	}
 	if ((stcb->asoc.stream_locked) &&
 	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
-		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAGAIN);
-		error = EAGAIN;
+		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
+		error = EINVAL;
 		goto out_now;
 	}
 	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
@@ -9964,7 +9964,9 @@ sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
 	struct sctp_chunkhdr *ch, chunk_buf;
 	unsigned int chk_length;
 
-	/* sa_ignore NO_NULL_CHK */
+	if (!stcb) {
+		return;
+	}
 	asoc = &stcb->asoc;
 	SCTP_TCB_LOCK_ASSERT(stcb);
 	if (asoc->peer_supports_pktdrop == 0) {
@@ -11644,8 +11646,8 @@ sctp_lower_sosend(struct socket *so,
 		if ((asoc->stream_locked) &&
 		    (asoc->stream_locked_on != srcv->sinfo_stream)) {
 			SCTP_TCB_SEND_UNLOCK(stcb);
-			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAGAIN);
-			error = EAGAIN;
+			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
+			error = EINVAL;
 			goto out;
 		}
 		SCTP_TCB_SEND_UNLOCK(stcb);
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index e7830fc..d5aa177 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -5919,6 +5919,7 @@ sctp_drain_mbufs(struct sctp_inpcb *inp, struct sctp_tcb *stcb)
 		}
 		asoc->last_revoke_count = cnt;
 		(void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
+		/* sa_ignore NO_NULL_CHK */
 		sctp_send_sack(stcb);
 		sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_DRAIN, SCTP_SO_NOT_LOCKED);
 		reneged_asoc_ids[reneged_at] = sctp_get_associd(stcb);
diff --git a/sys/netinet/sctp_timer.c b/sys/netinet/sctp_timer.c
index b9d4b62..e9b28b6 100644
--- a/sys/netinet/sctp_timer.c
+++ b/sys/netinet/sctp_timer.c
@@ -1389,21 +1389,21 @@ sctp_asconf_timer(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
 }
 
 /* Mobility adaptation */
-int
+void
 sctp_delete_prim_timer(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
     struct sctp_nets *net)
 {
 	if (stcb->asoc.deleted_primary == NULL) {
 		SCTPDBG(SCTP_DEBUG_ASCONF1, "delete_prim_timer: deleted_primary is not stored...\n");
 		sctp_mobility_feature_off(inp, SCTP_MOBILITY_PRIM_DELETED);
-		return (0);
+		return;
 	}
 	SCTPDBG(SCTP_DEBUG_ASCONF1, "delete_prim_timer: finished to keep deleted primary ");
 	SCTPDBG_ADDR(SCTP_DEBUG_ASCONF1, &stcb->asoc.deleted_primary->ro._l_addr.sa);
 	sctp_free_remote_addr(stcb->asoc.deleted_primary);
 	stcb->asoc.deleted_primary = NULL;
 	sctp_mobility_feature_off(inp, SCTP_MOBILITY_PRIM_DELETED);
-	return (0);
+	return;
 }
 
 /*
diff --git a/sys/netinet/sctp_timer.h b/sys/netinet/sctp_timer.h
index 0a0f2f2..216d0d4 100644
--- a/sys/netinet/sctp_timer.h
+++ b/sys/netinet/sctp_timer.h
@@ -87,7 +87,7 @@ int
 sctp_asconf_timer(struct sctp_inpcb *, struct sctp_tcb *,
     struct sctp_nets *);
 
-int
+void
 sctp_delete_prim_timer(struct sctp_inpcb *, struct sctp_tcb *,
     struct sctp_nets *);
 
diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c
index 05ab850..8b4d47b 100644
--- a/sys/netinet/sctputil.c
+++ b/sys/netinet/sctputil.c
@@ -1771,9 +1771,7 @@ sctp_timeout_handler(void *t)
 		if ((stcb == NULL) || (inp == NULL)) {
 			break;
 		}
-		if (sctp_delete_prim_timer(inp, stcb, net)) {
-			goto out_decr;
-		}
+		sctp_delete_prim_timer(inp, stcb, net);
 		SCTP_STAT_INCR(sctps_timodelprim);
 		break;
 
diff --git a/sys/netinet6/sctp6_usrreq.c b/sys/netinet6/sctp6_usrreq.c
index 89bb51c..8b6c249 100644
--- a/sys/netinet6/sctp6_usrreq.c
+++ b/sys/netinet6/sctp6_usrreq.c
@@ -315,7 +315,7 @@ out:
 }
 
 
-static void
+void
 sctp6_notify(struct sctp_inpcb *inp,
     struct icmp6_hdr *icmph,
     struct sctphdr *sh,
diff --git a/sys/netinet6/sctp6_var.h b/sys/netinet6/sctp6_var.h
index 976d763..3b744e3 100644
--- a/sys/netinet6/sctp6_var.h
+++ b/sys/netinet6/sctp6_var.h
@@ -46,5 +46,13 @@ __P((struct sctp_inpcb *, struct mbuf *, struct sockaddr *,
 	void sctp6_ctlinput __P((int, struct sockaddr *, void *));
 
 
+	extern void sctp6_notify(struct sctp_inpcb *inp,
+         struct icmp6_hdr *icmph,
+         struct sctphdr *sh,
+         struct sockaddr *to,
+         struct sctp_tcb *stcb,
+         struct sctp_nets *net);
+
+
 #endif				/* _KERNEL */
 #endif