Author: tuexen Date: Mon Nov 9 13:12:07 2020 New Revision: 367520 URL: https://svnweb.freebsd.org/changeset/base/367520
Log: Fix a potential use-after-free bug introduced in https://svnweb.freebsd.org/changeset/base/363046 Thanks to Taylor Brandstetter for finding this issue using fuzz testing and reporting it in https://github.com/sctplab/usrsctp/issues/547 Modified: head/sys/netinet/sctp_indata.c Modified: head/sys/netinet/sctp_indata.c ============================================================================== --- head/sys/netinet/sctp_indata.c Mon Nov 9 09:31:21 2020 (r367519) +++ head/sys/netinet/sctp_indata.c Mon Nov 9 13:12:07 2020 (r367520) @@ -5494,7 +5494,7 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb, unsigned int i, fwd_sz, m_size; uint32_t str_seq; struct sctp_stream_in *strm; - struct sctp_queued_to_read *control, *sv; + struct sctp_queued_to_read *control, *ncontrol, *sv; asoc = &stcb->asoc; if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) { @@ -5654,14 +5654,14 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb, } strm = &asoc->strmin[sid]; if (ordered) { - TAILQ_FOREACH(control, &strm->inqueue, next_instrm) { + TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, ncontrol) { if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) { sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn); } } } else { if (asoc->idata_supported) { - TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) { + TAILQ_FOREACH_SAFE(control, &strm->uno_inqueue, next_instrm, ncontrol) { if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) { sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn); } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
