Make sure that we don't free an SCTP shared key too early.

Thanks to Pouyan Sepehrdad from Qualcomm Product Security Initiative
for reporting the issue.
MFC after: 3 days
This commit is contained in:
tuexen 2015-03-25 22:45:54 +00:00
parent b24b75c074
commit 7ca13bb5b0

View File

@ -576,13 +576,12 @@ sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t key_id, int so_locked
/* decrement the ref count */
if (skey) {
sctp_free_sharedkey(skey);
SCTPDBG(SCTP_DEBUG_AUTH2,
"%s: stcb %p key %u refcount release to %d\n",
__FUNCTION__, (void *)stcb, key_id, skey->refcount);
/* see if a notification should be generated */
if ((skey->refcount <= 1) && (skey->deactivated)) {
if ((skey->refcount <= 2) && (skey->deactivated)) {
/* notify ULP that key is no longer used */
sctp_ulp_notify(SCTP_NOTIFY_AUTH_FREE_KEY, stcb,
key_id, 0, so_locked);
@ -590,6 +589,7 @@ sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t key_id, int so_locked
"%s: stcb %p key %u no longer used, %d\n",
__FUNCTION__, (void *)stcb, key_id, skey->refcount);
}
sctp_free_sharedkey(skey);
}
}