git: c2b0f069c42c - stable/13 - sctp: don't keep a pointer to a freed stcb around
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 01 Feb 2023 22:41:44 UTC
The branch stable/13 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=c2b0f069c42ccd4111db78b85aad9c3cd543bb08 commit c2b0f069c42ccd4111db78b85aad9c3cd543bb08 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2022-04-15 12:00:00 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2023-02-01 22:41:21 +0000 sctp: don't keep a pointer to a freed stcb around Reported by: syzbot+b9ef06efdae7cb9ee414@syzkaller.appspotmail.com Reported by: syzbot+b1e4793e0e6b25b0d510@syzkaller.appspotmail.com (cherry picked from commit eeba222172170c380450004fdceac80c3612b1e8) --- sys/netinet/sctp_pcb.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 9d9760bd0e86..ee1ff6bd56d9 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -3371,8 +3371,10 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from) cnt_in_sd = 0; LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_list, sctp_tcblist, nstcb) { SCTP_TCB_LOCK(stcb); + /* Disconnect the socket please. */ + stcb->sctp_socket = NULL; + SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET); if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { - stcb->sctp_socket = NULL; /* Skip guys being freed */ cnt_in_sd++; if (stcb->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) { @@ -3404,9 +3406,6 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from) } continue; } - /* Disconnect the socket please */ - stcb->sctp_socket = NULL; - SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET); if ((stcb->asoc.size_on_reasm_queue > 0) || (stcb->asoc.control_pdapi) || (stcb->asoc.size_on_all_streams > 0) ||