upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

sctp: Clear assoc socket references when freeing a PCB

Browse source 
This restores behaviour present in the first import of SCTP.  Commit
ceaad40ae7 commented this out and commit
62fb761ff2 removed it.  However, once
sctp_inpcb_free() returns, the socket reference is gone no matter what,
so we need to clear it.

Reported by:	syzbot+30dd69297fcbc5f0e10a@syzkaller.appspotmail.com
Reported by:	syzbot+7b2f9d4bcac1c9569291@syzkaller.appspotmail.com
Reported by:	syzbot+ed3e651f7d040af480a6@syzkaller.appspotmail.com
Reviewed by:	tuexen
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit 4250aa1188)
This commit is contained in:
Mark Johnston 2021-09-09 08:33:26 -04:00
parent 1cce9f8fec
commit adfb7f807c
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
sys/netinet/sctp_pcb.c
View file

@ -3359,6 +3359,7 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
LIST_FOREACH_SAFE(asoc, &inp->sctp_asoc_list, sctp_tcblist, nasoc) {
SCTP_TCB_LOCK(asoc);
if (asoc->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
asoc->sctp_socket = NULL;
/* Skip guys being freed */
cnt_in_sd++;
if (asoc->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {