Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Feb 2023 22:41:44 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c2b0f069c42c - stable/13 - sctp: don't keep a pointer to a freed stcb around
Message-ID:  <202302012241.311MficF000517@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=c2b0f069c42ccd4111db78b85aad9c3cd543bb08

commit c2b0f069c42ccd4111db78b85aad9c3cd543bb08
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-04-15 12:00:00 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2023-02-01 22:41:21 +0000

    sctp: don't keep a pointer to a freed stcb around
    
    Reported by:    syzbot+b9ef06efdae7cb9ee414@syzkaller.appspotmail.com
    Reported by:    syzbot+b1e4793e0e6b25b0d510@syzkaller.appspotmail.com
    
    (cherry picked from commit eeba222172170c380450004fdceac80c3612b1e8)
---
 sys/netinet/sctp_pcb.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 9d9760bd0e86..ee1ff6bd56d9 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -3371,8 +3371,10 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
 		cnt_in_sd = 0;
 		LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_list, sctp_tcblist, nstcb) {
 			SCTP_TCB_LOCK(stcb);
+			/* Disconnect the socket please. */
+			stcb->sctp_socket = NULL;
+			SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
-				stcb->sctp_socket = NULL;
 				/* Skip guys being freed */
 				cnt_in_sd++;
 				if (stcb->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {
@@ -3404,9 +3406,6 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
 				}
 				continue;
 			}
-			/* Disconnect the socket please */
-			stcb->sctp_socket = NULL;
-			SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
 			if ((stcb->asoc.size_on_reasm_queue > 0) ||
 			    (stcb->asoc.control_pdapi) ||
 			    (stcb->asoc.size_on_all_streams > 0) ||

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302012241.311MficF000517>