sctp: use a valid outstream when adding it to the scheduler

Without holding the stcb send lock, the outstreams might get reallocated if the number of streams are increased. Reported by: syzbot+4a5431d7caa666f2c19c@syzkaller.appspotmail.com Reported by: syzbot+aa2e3b013a48870e193d@syzkaller.appspotmail.com Reported by: syzbot+e4368c3bde07cd2fb29f@syzkaller.appspotmail.com Reported by: syzbot+fe2f110e34811ea91690@syzkaller.appspotmail.com Reported by: syzbot+ed6e8de942351d0309f4@syzkaller.appspotmail.com MFC after: 1 week
DimitryAndric · Sep 20, 2021 · 34b1efc · 34b1efc
1 parent b94d360
commit 34b1efc
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
@@ -6337,7 +6337,6 @@ sctp_msg_append(struct sctp_tcb *stcb,
 		error = EINVAL;
 		goto out_now;
 	}
-	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
 	/* Now can we send this? */
 	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
@@ -6396,6 +6395,7 @@ sctp_msg_append(struct sctp_tcb *stcb,
 	if (hold_stcb_lock == 0) {
 		SCTP_TCB_SEND_LOCK(stcb);
 	}
+	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
 	sctp_snd_sb_alloc(stcb, sp->length);
 	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
 	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
@@ -13137,6 +13137,8 @@ sctp_lower_sosend(struct socket *so,
 				goto out;
 			}
 			SCTP_TCB_SEND_LOCK(stcb);
+			/* The out streams might be reallocated. */
+			strm = &stcb->asoc.strmout[srcv->sinfo_stream];
 			if (sp->msg_is_complete) {
 				strm->last_msg_incomplete = 0;
 				asoc->stream_locked = 0;