aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@FreeBSD.org>2012-03-13 16:42:39 +0000
committerMichael Tuexen <tuexen@FreeBSD.org>2012-03-13 16:42:39 +0000
commit16dc3d4688494efbd1be4d702cc96560779d4f3b (patch)
treec360664b31a77c37219e33b4fbcfcd955e5b30d3
parent68ecc48e4309cdc51d72393bc1b2bf76c05b19c9 (diff)
downloadsrc-16dc3d4688494efbd1be4d702cc96560779d4f3b.tar.gz
src-16dc3d4688494efbd1be4d702cc96560779d4f3b.zip
MFC r232723, r232726:
Fix a bug reported by Peter Holm which results in a crash: Verify in sctp_peeloff() that the socket is a one-to-many style SCTP socket. Approved by: re@
Notes
Notes: svn path=/releng/8.3/; revision=232928
-rw-r--r--sys/netinet/sctp_peeloff.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/sys/netinet/sctp_peeloff.c b/sys/netinet/sctp_peeloff.c
index b425add62b40..425e3e9fcf63 100644
--- a/sys/netinet/sctp_peeloff.c
+++ b/sys/netinet/sctp_peeloff.c
@@ -55,9 +55,18 @@ sctp_can_peel_off(struct socket *head, sctp_assoc_t assoc_id)
struct sctp_tcb *stcb;
uint32_t state;
+ if (head == NULL) {
+ SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EBADF);
+ return (EBADF);
+ }
+ if ((head->so_proto->pr_protocol != IPPROTO_SCTP) ||
+ (head->so_type != SOCK_SEQPACKET)) {
+ SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EOPNOTSUPP);
+ return (EOPNOTSUPP);
+ }
inp = (struct sctp_inpcb *)head->so_pcb;
if (inp == NULL) {
- SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EFAULT);
+ SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_PEELOFF, EFAULT);
return (EFAULT);
}
stcb = sctp_findassociation_ep_asocid(inp, assoc_id, 1);