d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sctp: Clear assoc socket references when freeing a PCB

Browse Source 
This restores behaviour present in the first import of SCTP.  Commit
ceaad40ae7 commented this out and commit
62fb761ff2 removed it.  However, once
sctp_inpcb_free() returns, the socket reference is gone no matter what,
so we need to clear it.

Reported by:	syzbot+30dd69297fcbc5f0e10a@syzkaller.appspotmail.com
Reported by:	syzbot+7b2f9d4bcac1c9569291@syzkaller.appspotmail.com
Reported by:	syzbot+ed3e651f7d040af480a6@syzkaller.appspotmail.com
Reviewed by:	tuexen
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31886
This commit is contained in:
Mark Johnston 2021-09-09 08:33:26 -04:00
parent 395db99f32
commit 4250aa1188
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys/netinet/sctp_pcb.c
View File

@ -3358,6 +3358,7 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
LIST_FOREACH_SAFE(asoc, &inp->sctp_asoc_list, sctp_tcblist, nasoc) {
SCTP_TCB_LOCK(asoc);
if (asoc->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
asoc->sctp_socket = NULL;
/* Skip guys being freed */
cnt_in_sd++;
if (asoc->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {