git: c2b0f069c42c - stable/13 - sctp: don't keep a pointer to a freed stcb around
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 01 Feb 2023 22:41:44 UTC
The branch stable/13 has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=c2b0f069c42ccd4111db78b85aad9c3cd543bb08
commit c2b0f069c42ccd4111db78b85aad9c3cd543bb08
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-04-15 12:00:00 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2023-02-01 22:41:21 +0000
sctp: don't keep a pointer to a freed stcb around
Reported by: syzbot+b9ef06efdae7cb9ee414@syzkaller.appspotmail.com
Reported by: syzbot+b1e4793e0e6b25b0d510@syzkaller.appspotmail.com
(cherry picked from commit eeba222172170c380450004fdceac80c3612b1e8)
---
sys/netinet/sctp_pcb.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 9d9760bd0e86..ee1ff6bd56d9 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -3371,8 +3371,10 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
cnt_in_sd = 0;
LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_list, sctp_tcblist, nstcb) {
SCTP_TCB_LOCK(stcb);
+ /* Disconnect the socket please. */
+ stcb->sctp_socket = NULL;
+ SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
- stcb->sctp_socket = NULL;
/* Skip guys being freed */
cnt_in_sd++;
if (stcb->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {
@@ -3404,9 +3406,6 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
}
continue;
}
- /* Disconnect the socket please */
- stcb->sctp_socket = NULL;
- SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
if ((stcb->asoc.size_on_reasm_queue > 0) ||
(stcb->asoc.control_pdapi) ||
(stcb->asoc.size_on_all_streams > 0) ||