Bug fix: If the allocation of a socket failed and we

freed the inpcb, it was possible to not set the
proper flags on the pcb (i.e. the socket is not there).
This is HIGHLY unlikely since no one else should be
able to find the socket.. but for consistency we
do the proper loop thing to make sure that we
mark the socket as gone on the PCB.

1 files changed, 7 insertions, 1 deletions

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 676e575..71f5f65 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -551,6 +551,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
 	sctp_log_closing(inp, NULL, 17);
 #endif
 	if (error != 0) {
+try_again:
 		flags = inp->sctp_flags;
 		if (((flags & SCTP_PCB_FLAGS_SOCKET_GONE) == 0) &&
 		    (atomic_cmpset_int(&inp->sctp_flags, flags, (flags | SCTP_PCB_FLAGS_SOCKET_GONE | SCTP_PCB_FLAGS_CLOSE_IP)))) {
@@ -561,7 +562,12 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
 			sctp_inpcb_free(inp, SCTP_FREE_SHOULD_USE_ABORT,
 			    SCTP_CALLED_AFTER_CMPSET_OFCLOSE);
 		} else {
-			SCTP_INP_WUNLOCK(inp);
+			flags = inp->sctp_flags;
+			if ((flags & SCTP_PCB_FLAGS_SOCKET_GONE) == 0) {
+				goto try_again;
+			} else {
+				SCTP_INP_WUNLOCK(inp);
+			}
 		}
 		return error;
 	}