git: 65f30a39e11b - main - sctp: Release the socket reference when detaching an association
Mark Johnston
markj at FreeBSD.org
Wed Sep 1 14:28:44 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=65f30a39e11bbbab927dbd2ca8de5ec5fc6af7ca
commit 65f30a39e11bbbab927dbd2ca8de5ec5fc6af7ca
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-01 14:27:31 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-01 14:27:31 +0000
sctp: Release the socket reference when detaching an association
Later in sctp_free_assoc(), when we clean up chunk lists,
sctp_free_spbufspace() is used to reset the byte count in the socket
send buffer. However, if the PCB is going away, the socket may already
have been detached from the PCB, in which case this becomes a use-after
free. Clear the socket reference from the association before detaching
it from the PCB, if the PCB has already lost its socket reference.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31753
---
sys/netinet/sctp_pcb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 7aa20b5e14b9..2b8653ac8109 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -4900,6 +4900,9 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfre
if (stcb->asoc.in_asocid_hash) {
LIST_REMOVE(stcb, sctp_tcbasocidhash);
}
+ if (inp->sctp_socket == NULL) {
+ stcb->sctp_socket = NULL;
+ }
/* Now lets remove it from the list of ALL associations in the EP */
LIST_REMOVE(stcb, sctp_tcblist);
if (from_inpcbfree == SCTP_NORMAL_PROC) {
More information about the dev-commits-src-all
mailing list