svn commit: r364636 - stable/12/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Mon Aug 24 09:00:07 UTC 2020
Author: tuexen
Date: Mon Aug 24 09:00:07 2020
New Revision: 364636
URL: https://svnweb.freebsd.org/changeset/base/364636
Log:
MFC r363076:
Fix a use-after-free bug for the userland stack. The kernel
stack is not affected.
Thanks to Mark Wodrich from Google for finding and reporting the
bug.
Modified:
stable/12/sys/netinet/sctp_indata.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_indata.c
==============================================================================
--- stable/12/sys/netinet/sctp_indata.c Mon Aug 24 08:58:45 2020 (r364635)
+++ stable/12/sys/netinet/sctp_indata.c Mon Aug 24 09:00:07 2020 (r364636)
@@ -1700,6 +1700,7 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc
int *break_flag, int last_chunk, uint8_t chk_type)
{
struct sctp_tmit_chunk *chk = NULL; /* make gcc happy */
+ struct sctp_stream_in *strm;
uint32_t tsn, fsn, gap, mid;
struct mbuf *dmbuf;
int the_len;
@@ -2327,12 +2328,13 @@ finish_express_del:
/* All can be removed */
TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
+ strm = &asoc->strmin[control->sinfo_stream];
sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
if (*abort_flag) {
return (0);
}
if (need_reasm_check) {
- (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+ (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
need_reasm_check = 0;
}
}
@@ -2347,12 +2349,13 @@ finish_express_del:
* control->sinfo_tsn > liste->tsn
*/
TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
+ strm = &asoc->strmin[control->sinfo_stream];
sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
if (*abort_flag) {
return (0);
}
if (need_reasm_check) {
- (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+ (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
need_reasm_check = 0;
}
}
More information about the svn-src-all
mailing list