svn commit: r368180 - stable/12/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Mon Nov 30 09:22:34 UTC 2020
Author: tuexen
Date: Mon Nov 30 09:22:33 2020
New Revision: 368180
URL: https://svnweb.freebsd.org/changeset/base/368180
Log:
MFC r367520:
Fix a potential use-after-free bug introduced in
https://svnweb.freebsd.org/changeset/base/363046
Thanks to Taylor Brandstetter for finding this issue using fuzz testing
and reporting it in https://github.com/sctplab/usrsctp/issues/547
Modified:
stable/12/sys/netinet/sctp_indata.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_indata.c
==============================================================================
--- stable/12/sys/netinet/sctp_indata.c Mon Nov 30 09:21:01 2020 (r368179)
+++ stable/12/sys/netinet/sctp_indata.c Mon Nov 30 09:22:33 2020 (r368180)
@@ -5521,7 +5521,7 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb,
unsigned int i, fwd_sz, m_size;
uint32_t str_seq;
struct sctp_stream_in *strm;
- struct sctp_queued_to_read *control, *sv;
+ struct sctp_queued_to_read *control, *ncontrol, *sv;
asoc = &stcb->asoc;
if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
@@ -5681,14 +5681,14 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb,
}
strm = &asoc->strmin[sid];
if (ordered) {
- TAILQ_FOREACH(control, &strm->inqueue, next_instrm) {
+ TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, ncontrol) {
if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
}
}
} else {
if (asoc->idata_supported) {
- TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) {
+ TAILQ_FOREACH_SAFE(control, &strm->uno_inqueue, next_instrm, ncontrol) {
if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
}
More information about the svn-src-all
mailing list