svn commit: r363076 - head/sys/netinet

Fri, 10 Jul 2020 04:16:11 -0700 

Author: tuexen
Date: Fri Jul 10 11:15:10 2020
New Revision: 363076
URL: https://svnweb.freebsd.org/changeset/base/363076

Log:
  Fix a use-after-free bug for the userland stack. The kernel
  stack is not affected.
  Thanks to Mark Wodrich from Google for finding and reporting the
  bug.
  
  MFC after:            1 week

Modified:
  head/sys/netinet/sctp_indata.c

Modified: head/sys/netinet/sctp_indata.c
==============================================================================
--- head/sys/netinet/sctp_indata.c      Fri Jul 10 11:01:05 2020        
(r363075)
+++ head/sys/netinet/sctp_indata.c      Fri Jul 10 11:15:10 2020        
(r363076)
@@ -1700,6 +1700,7 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struc
     int *break_flag, int last_chunk, uint8_t chk_type)
 {
        struct sctp_tmit_chunk *chk = NULL;     /* make gcc happy */
+       struct sctp_stream_in *strm;
        uint32_t tsn, fsn, gap, mid;
        struct mbuf *dmbuf;
        int the_len;
@@ -2327,12 +2328,13 @@ finish_express_del:
                        /* All can be removed */
                        TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, 
next, ncontrol) {
                                TAILQ_REMOVE(&asoc->pending_reply_queue, 
control, next);
+                               strm = &asoc->strmin[control->sinfo_stream];
                                sctp_queue_data_to_stream(stcb, asoc, control, 
abort_flag, &need_reasm_check);
                                if (*abort_flag) {
                                        return (0);
                                }
                                if (need_reasm_check) {
-                                       (void)sctp_deliver_reasm_check(stcb, 
asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+                                       (void)sctp_deliver_reasm_check(stcb, 
asoc, strm, SCTP_READ_LOCK_NOT_HELD);
                                        need_reasm_check = 0;
                                }
                        }
@@ -2347,12 +2349,13 @@ finish_express_del:
                                 * control->sinfo_tsn > liste->tsn
                                 */
                                TAILQ_REMOVE(&asoc->pending_reply_queue, 
control, next);
+                               strm = &asoc->strmin[control->sinfo_stream];
                                sctp_queue_data_to_stream(stcb, asoc, control, 
abort_flag, &need_reasm_check);
                                if (*abort_flag) {
                                        return (0);
                                }
                                if (need_reasm_check) {
-                                       (void)sctp_deliver_reasm_check(stcb, 
asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+                                       (void)sctp_deliver_reasm_check(stcb, 
asoc, strm, SCTP_READ_LOCK_NOT_HELD);
                                        need_reasm_check = 0;
                                }
                        }
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to