Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Nov 2020 09:22:33 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r368180 - stable/12/sys/netinet
Message-ID:  <202011300922.0AU9MXOf096573@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: tuexen
Date: Mon Nov 30 09:22:33 2020
New Revision: 368180
URL: https://svnweb.freebsd.org/changeset/base/368180

Log:
  MFC r367520:
  
  Fix a potential use-after-free bug introduced in
  https://svnweb.freebsd.org/changeset/base/363046
  
  Thanks to Taylor Brandstetter for finding this issue using fuzz testing
  and reporting it in https://github.com/sctplab/usrsctp/issues/547

Modified:
  stable/12/sys/netinet/sctp_indata.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netinet/sctp_indata.c
==============================================================================
--- stable/12/sys/netinet/sctp_indata.c	Mon Nov 30 09:21:01 2020	(r368179)
+++ stable/12/sys/netinet/sctp_indata.c	Mon Nov 30 09:22:33 2020	(r368180)
@@ -5521,7 +5521,7 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb,
 	unsigned int i, fwd_sz, m_size;
 	uint32_t str_seq;
 	struct sctp_stream_in *strm;
-	struct sctp_queued_to_read *control, *sv;
+	struct sctp_queued_to_read *control, *ncontrol, *sv;
 
 	asoc = &stcb->asoc;
 	if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
@@ -5681,14 +5681,14 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb,
 			}
 			strm = &asoc->strmin[sid];
 			if (ordered) {
-				TAILQ_FOREACH(control, &strm->inqueue, next_instrm) {
+				TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, ncontrol) {
 					if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
 						sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
 					}
 				}
 			} else {
 				if (asoc->idata_supported) {
-					TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) {
+					TAILQ_FOREACH_SAFE(control, &strm->uno_inqueue, next_instrm, ncontrol) {
 						if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
 							sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
 						}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011300922.0AU9MXOf096573>