Unlock TCB whenever returning early from sctp_process_cookie_existing.

[taylor-b]

Unless returning after sctp_abort_an_association.

[tuexen]

Thanks for finding and fixing the issue I introduced recently.

[korniltsev]

There might be same issue in process_cookie_new, Ive got another deadlock after applying 0ed173a

[usrsctp-debug] HUH? process_cookie_new: could not find INIT chunk!
[usrsctp-debug] GAK, null buffer

@tuexen Do you think there should be similar fix for process_cookie_new ?

[tuexen]

There might be same issue in process_cookie_new, Ive got another deadlock after applying 0ed173a

Is this problem new? Introduced by 0ed173a?

[usrsctp-debug] HUH? process_cookie_new: could not find INIT chunk!
[usrsctp-debug] GAK, null buffer

That is very early in sctp_process_cookie_new(), there is no stcb yet allocated. Do you see this problem in production? I'm wondering why the INIT chunk can't be found in the COOKIE chunk...

Is the problem reproducible? If yes, how?

@tuexen Do you think there should be similar fix for process_cookie_new ?

No, not the same.

[korniltsev]

I dont think its introduced by 0ed173a.
I shared repro to email.
Not sure if it is possible to trigger without FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION over network though.

[korniltsev]

That is very early in sctp_process_cookie_new(), there is no stcb yet allocated.

In my case stcb is already allocated

* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x0000000104e11b75 fuzz`sctp_process_cookie_new(m=0x00007fa159606200, iphlen=0, offset=128, src=0x00007ffeeae5e720, dst=0x00007ffeeae5e710, sh=0x00007fa15a010a00, cookie=0x00007fa15a010a10, cookie_len=180, inp=0x00007fa15a00f200, netp=0x00007ffeeae5e490, init_src=0x00007ffeeae5d5e0, notification=0x00007ffeeae5d604, auth_skipped=0, auth_offset=0, auth_len=0, vrf_id=0, port=0) at sctp_input.c:2213:16
    frame #1: 0x0000000104e1533d fuzz`sctp_process_cookie_existing(m=0x00007fa159606200, iphlen=0, offset=128, src=0x00007ffeeae5e720, dst=0x00007ffeeae5e710, sh=0x00007fa15a010a00, cookie=0x00007fa15a010a10, cookie_len=180, inp=0x00007fa15a00f200, stcb=0x00007fa14a808a00, netp=0x00007ffeeae5e490, init_src=0x00007ffeeae5d5e0, notification=0x00007ffeeae5d604, auth_skipped=0, auth_offset=0, auth_len=0, vrf_id=0, port=0) at sctp_input.c:1953:12
    frame #2: 0x0000000104e0a760 fuzz`sctp_handle_cookie_echo(m=0x00007fa159606200, iphlen=0, offset=12, src=0x00007ffeeae5e720, dst=0x00007ffeeae5e710, sh=0x00007fa15a010a00, cp=0x00007fa15a010a0c, inp_p=0x00007ffeeae5e200, stcb=0x00007ffeeae5e208, netp=0x00007ffeeae5e490, auth_skipped=0, auth_offset=0, auth_len=0, locked_tcb=0x00007ffeeae5ddc8, vrf_id=0, port=0) at sctp_input.c:2937:11
    frame #3: 0x0000000104e0225a fuzz`sctp_process_control(m=0x00007fa159606200, iphlen=0, offset=0x00007ffeeae5e4f0, length=1184, src=0x00007ffeeae5e720, dst=0x00007ffeeae5e710, sh=0x00007fa15a010a00, ch=0x00007fa15a010a0c, inp=0x00007fa15a00f200, stcb=0x00007fa14a808a00, netp=0x00007ffeeae5e490, fwd_tsn_seen=0x00007ffeeae5e4d0, vrf_id=0, port=0) at sctp_input.c:5401:7
    frame #4: 0x0000000104dfc7b3 fuzz`sctp_common_input_processing(mm=0x00007ffeeae5e708, iphlen=0, offset=12, length=1184, src=0x00007ffeeae5e720, dst=0x00007ffeeae5e710, sh=0x00007fa15a010a00, ch=0x00007fa15a010a0c, compute_crc=0 '\0', ecn_bits=0 '\0', vrf_id=0, port=0) at sctp_input.c:5953:10
    frame #5: 0x0000000104ed5258 fuzz`usrsctp_conninput(addr=0x0000000000000003, buffer=0x00007fa15a00d800, length=1184, ecn_bits=0 '\0') at user_socket.c:3345:2

also I think there might be different reasons to return NULL from the function, for example OOM or fd limit in the kernelspace

[tuexen]

That is a special code path: sctp_input:1947. Will look into it.