d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clear the pointer to the socket when closing it also in case of

Browse Source 
an ungraceful operation.
This fixes a use-after-free bug found and reported by Taylor
Brandstetter of Google by testing the userland stack.

MFC after:		1 week
This commit is contained in:
Michael Tuexen 2020-07-23 19:43:49 +00:00
parent e32e868528
commit 205f3e1597
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/netinet/sctp_pcb.c
View File

@ -3545,6 +3545,11 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
cnt = 0;
LIST_FOREACH_SAFE(asoc, &inp->sctp_asoc_list, sctp_tcblist, nasoc) {
SCTP_TCB_LOCK(asoc);
if (immediate != SCTP_FREE_SHOULD_USE_GRACEFUL_CLOSE) {
/* Disconnect the socket please */
asoc->sctp_socket = NULL;
SCTP_ADD_SUBSTATE(asoc, SCTP_STATE_CLOSED_SOCKET);
}
if (asoc->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
if (asoc->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {
SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_IN_ACCEPT_QUEUE);