diff options
author | tuexen <tuexen@FreeBSD.org> | 2010-06-14 21:25:07 +0000 |
---|---|---|
committer | tuexen <tuexen@FreeBSD.org> | 2010-06-14 21:25:07 +0000 |
commit | 9afd287a77d209e55688822292e8df6437e69c63 (patch) | |
tree | a80aa9a00a1a5c447be7cb468dd17783993abdfc /sys/netinet/sctp_asconf.c | |
parent | 7824be8be004a77de157cf30d317990b32ee47f8 (diff) | |
download | FreeBSD-src-9afd287a77d209e55688822292e8df6437e69c63.zip FreeBSD-src-9afd287a77d209e55688822292e8df6437e69c63.tar.gz |
* Fix a bug where the length of the ASCONF-ACK was calculated wrong due
to using an uninitialized variable.
* Fix a bug where a NULL pointer was dereferenced when interfaces
come and go at a high rate.
* Fix a bug where inps where not deregistered from iterators.
* Fix a race condition in freeing an association.
* Fix a refcount problem related to the iterator.
Each of the above bug results in a panic. It shows up when
interfaces come and go at a high rate.
Obtained from: rrs (partly)
MFC after: 3 days
Diffstat (limited to 'sys/netinet/sctp_asconf.c')
-rw-r--r-- | sys/netinet/sctp_asconf.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c index 2d16ef0..ee5dc0d 100644 --- a/sys/netinet/sctp_asconf.c +++ b/sys/netinet/sctp_asconf.c @@ -826,6 +826,7 @@ send_reply: ack->serial_number = serial_num; ack->last_sent_to = NULL; ack->data = m_ack; + ack->len = 0; n = m_ack; while (n) { ack->len += SCTP_BUF_LEN(n); @@ -1025,7 +1026,8 @@ sctp_asconf_nets_cleanup(struct sctp_tcb *stcb, struct sctp_ifn *ifn) * address. */ if (SCTP_ROUTE_HAS_VALID_IFN(&net->ro) && - SCTP_GET_IF_INDEX_FROM_ROUTE(&net->ro) != ifn->ifn_index) { + ((ifn == NULL) || + (SCTP_GET_IF_INDEX_FROM_ROUTE(&net->ro) != ifn->ifn_index))) { /* clear any cached route */ RTFREE(net->ro.ro_rt); net->ro.ro_rt = NULL; |