diff options
author | rrs <rrs@FreeBSD.org> | 2006-11-09 21:01:07 +0000 |
---|---|---|
committer | rrs <rrs@FreeBSD.org> | 2006-11-09 21:01:07 +0000 |
commit | 877f5726faf34aebaa270edd88c29882b0a0d104 (patch) | |
tree | 8f3dfe7b55e5a3c1e8600adad0e4317d8330f21e /sys/netinet/sctp_input.c | |
parent | 1b8790bd34bd25bd494197b1232690f171459ae4 (diff) | |
download | FreeBSD-src-877f5726faf34aebaa270edd88c29882b0a0d104.zip FreeBSD-src-877f5726faf34aebaa270edd88c29882b0a0d104.tar.gz |
Fixes an issue with handling of stream reset. When a
reset comes in we need to calculate the length and
therefore the number of listed streams (if any) based
on the TLV type. Otherwise if we get a retran we could
in theory panic by sending a notification to a user with
a incorrect list and thus no memory listing the streams.
Found in IOS by devtest :-)
Approved by: gnn
Diffstat (limited to 'sys/netinet/sctp_input.c')
-rw-r--r-- | sys/netinet/sctp_input.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index ac8940c..e724f52 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -2715,8 +2715,7 @@ sctp_clean_up_stream_reset(struct sctp_tcb *stcb) static int sctp_handle_stream_reset_response(struct sctp_tcb *stcb, uint32_t seq, uint32_t action, - struct sctp_stream_reset_response *respin -) + struct sctp_stream_reset_response *respin) { uint16_t type; int lparm_len; @@ -2735,8 +2734,8 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, stcb->asoc.str_reset_seq_out++; type = ntohs(srparam->ph.param_type); lparm_len = ntohs(srparam->ph.param_length); - number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); if (type == SCTP_STR_RESET_OUT_REQUEST) { + number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); asoc->stream_reset_out_is_outstanding = 0; if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; @@ -2748,6 +2747,7 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, } } else if (type == SCTP_STR_RESET_IN_REQUEST) { /* Answered my request */ + number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; if (action != SCTP_STREAM_RESET_PERFORMED) { |