From 877f5726faf34aebaa270edd88c29882b0a0d104 Mon Sep 17 00:00:00 2001 From: rrs Date: Thu, 9 Nov 2006 21:01:07 +0000 Subject: Fixes an issue with handling of stream reset. When a reset comes in we need to calculate the length and therefore the number of listed streams (if any) based on the TLV type. Otherwise if we get a retran we could in theory panic by sending a notification to a user with a incorrect list and thus no memory listing the streams. Found in IOS by devtest :-) Approved by: gnn --- sys/netinet/sctp_input.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sys/netinet/sctp_input.c') diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index ac8940c..e724f52 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -2715,8 +2715,7 @@ sctp_clean_up_stream_reset(struct sctp_tcb *stcb) static int sctp_handle_stream_reset_response(struct sctp_tcb *stcb, uint32_t seq, uint32_t action, - struct sctp_stream_reset_response *respin -) + struct sctp_stream_reset_response *respin) { uint16_t type; int lparm_len; @@ -2735,8 +2734,8 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, stcb->asoc.str_reset_seq_out++; type = ntohs(srparam->ph.param_type); lparm_len = ntohs(srparam->ph.param_length); - number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); if (type == SCTP_STR_RESET_OUT_REQUEST) { + number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); asoc->stream_reset_out_is_outstanding = 0; if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; @@ -2748,6 +2747,7 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, } } else if (type == SCTP_STR_RESET_IN_REQUEST) { /* Answered my request */ + number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; if (action != SCTP_STREAM_RESET_PERFORMED) { -- cgit v1.1