Author: tuexen Date: Mon Nov 30 09:22:33 2020 New Revision: 368180 URL: https://svnweb.freebsd.org/changeset/base/368180
Log: MFC r367520: Fix a potential use-after-free bug introduced in https://svnweb.freebsd.org/changeset/base/363046 Thanks to Taylor Brandstetter for finding this issue using fuzz testing and reporting it in https://github.com/sctplab/usrsctp/issues/547 Modified: stable/12/sys/netinet/sctp_indata.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/sctp_indata.c ============================================================================== --- stable/12/sys/netinet/sctp_indata.c Mon Nov 30 09:21:01 2020 (r368179) +++ stable/12/sys/netinet/sctp_indata.c Mon Nov 30 09:22:33 2020 (r368180) @@ -5521,7 +5521,7 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb, unsigned int i, fwd_sz, m_size; uint32_t str_seq; struct sctp_stream_in *strm; - struct sctp_queued_to_read *control, *sv; + struct sctp_queued_to_read *control, *ncontrol, *sv; asoc = &stcb->asoc; if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) { @@ -5681,14 +5681,14 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb, } strm = &asoc->strmin[sid]; if (ordered) { - TAILQ_FOREACH(control, &strm->inqueue, next_instrm) { + TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, ncontrol) { if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) { sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn); } } } else { if (asoc->idata_supported) { - TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) { + TAILQ_FOREACH_SAFE(control, &strm->uno_inqueue, next_instrm, ncontrol) { if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) { sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn); } _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"