diff options
author | tuexen <tuexen@FreeBSD.org> | 2012-03-09 13:12:33 +0000 |
---|---|---|
committer | tuexen <tuexen@FreeBSD.org> | 2012-03-09 13:12:33 +0000 |
commit | d140145f2cefd9f724bac1c1bda9ffb4090f6d63 (patch) | |
tree | 8740cd792cba3ecba0e8b5145c5c80750844417c /sys/netinet | |
parent | 8396cde5ccb893c1c14c8071f9fee10b22d4ee01 (diff) | |
download | FreeBSD-src-d140145f2cefd9f724bac1c1bda9ffb4090f6d63.zip FreeBSD-src-d140145f2cefd9f724bac1c1bda9ffb4090f6d63.tar.gz |
Fix a bug reported by Peter Holm which results in a crash:
Verify in sctp_peeloff() that the socket is a one-to-many
style SCTP socket.
MFC after: 3 days.
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/sctp_peeloff.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/netinet/sctp_peeloff.c b/sys/netinet/sctp_peeloff.c index b425add..6debd8f 100644 --- a/sys/netinet/sctp_peeloff.c +++ b/sys/netinet/sctp_peeloff.c @@ -55,6 +55,15 @@ sctp_can_peel_off(struct socket *head, sctp_assoc_t assoc_id) struct sctp_tcb *stcb; uint32_t state; + if (head == NULL) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EBADF); + return (EBADF); + } + if ((head->so_proto->pr_protocol != IPPROTO_SCTP) || + (head->so_type != SOCK_SEQPACKET)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EOPNOTSUPP); + return (EOPNOTSUPP); + } inp = (struct sctp_inpcb *)head->so_pcb; if (inp == NULL) { SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EFAULT); |