chore: cherry-pick 0f8d58300b from usrsctp (#29877)

* chore: cherry-pick 0f8d58300b from usrsctp * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
electron · Jun 28, 2021 · b16d453 · b16d453
1 parent 6f50aa1
commit b16d453
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 0 deletions.
diff --git a/patches/usrsctp/.patches b/patches/usrsctp/.patches
@@ -1,3 +1,4 @@
 cherry_picking_improve_the_input_validation_and_processing_of.patch
 cherry_picking_clean_up_more_resources_of_an_existing_sctp.patch
 cherry_picking_harden_the_handling_of_outgoing_streams.patch
+improve_restart_handling.patch
diff --git a/patches/usrsctp/improve_restart_handling.patch b/patches/usrsctp/improve_restart_handling.patch
@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Tuexen <tuexen@fh-muenster.de>
+Date: Mon, 3 May 2021 02:29:58 +0200
+Subject: Improve restart handling.
+
+This fixes in particular a possible use after free bug reported
+Anatoly Korniltsev and Taylor Brandstetter for the userland stack.
+
+diff --git a/usrsctplib/netinet/sctp_input.c b/usrsctplib/netinet/sctp_input.c
+index 6a5bdba4264b47e10766467255dd9ebd5d135556..c36743b1fd2c3ab82cacbbf78e2e07547da2e457 100755
+--- a/usrsctplib/netinet/sctp_input.c
++++ b/usrsctplib/netinet/sctp_input.c
+@@ -2015,11 +2015,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
+ 		/* temp code */
+ 		if (how_indx < sizeof(asoc->cookie_how))
+ 			asoc->cookie_how[how_indx] = 12;
+-		sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net,
+-		                SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
+-		sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
+-		                SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
+-
++		sctp_stop_association_timers(stcb, false);
+ 		/* notify upper layer */
+ 		*notification = SCTP_NOTIFY_ASSOC_RESTART;
+ 		atomic_add_int(&stcb->asoc.refcnt, 1);
+@@ -2054,6 +2050,10 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
+ 		asoc->str_reset_seq_in = asoc->init_seq_number;
+
+ 		asoc->advanced_peer_ack_point = asoc->last_acked_seq;
++		asoc->data_pkts_seen = 0;
++		asoc->last_data_chunk_from = NULL;
++		asoc->last_control_chunk_from = NULL;
++		asoc->last_net_cmt_send_started = NULL;
+ 		if (asoc->mapping_array) {
+ 			memset(asoc->mapping_array, 0,
+ 			       asoc->mapping_array_size);
+@@ -2118,6 +2118,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
+ 			SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
+ 			SCTP_DECR_CHK_COUNT();
+ 		}
++		asoc->ctrl_queue_cnt = 0;
++		asoc->str_reset = NULL;
++		asoc->stream_reset_outstanding = 0;
+ 		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
+ 			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
+ 			if (chk->data) {
+@@ -2188,12 +2191,13 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
+ 			return (NULL);
+ 		}
+ 		/* respond with a COOKIE-ACK */
+-		sctp_stop_all_cookie_timers(stcb);
+-		sctp_toss_old_cookies(stcb, asoc);
+ 		sctp_send_cookie_ack(stcb);
+ 		if (how_indx < sizeof(asoc->cookie_how))
+ 			asoc->cookie_how[how_indx] = 15;
+-
++		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) &&
++		    (asoc->sctp_autoclose_ticks > 0)) {
++			sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
++		}
+ 		return (stcb);
+ 	}
+ 	if (how_indx < sizeof(asoc->cookie_how))