From a6a596e102be19141d042813e7411c9d931663c7 Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Sun, 29 May 2022 20:40:30 +0200
Subject: [PATCH] sctp: improve handling of listen() call

Fail the listen() call for 1-to-1 style sockets when the SCTP
association has been shutdown or aborted.

Reported by:	syzbot+6c484f116b9dc88f7db1@syzkaller.appspotmail.com
MFC after:	3 days
---
 sys/netinet/sctp_usrreq.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 05820f2b285..caa763f28c8 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -7221,6 +7221,15 @@ sctp_listen(struct socket *so, int backlog, struct thread *p)
 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error);
 		goto out;
 	}
+	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
+	    ((inp->sctp_flags & SCTP_PCB_FLAGS_WAS_CONNECTED) ||
+	    (inp->sctp_flags & SCTP_PCB_FLAGS_WAS_ABORTED))) {
+		SOCK_UNLOCK(so);
+		solisten_proto_abort(so);
+		error = EINVAL;
+		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error);
+		goto out;
+	}
 	if (inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) {
 		if ((error = sctp_inpcb_bind_locked(inp, NULL, NULL, p))) {
 			SOCK_UNLOCK(so);