Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Sep 2021 14:28:44 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 65f30a39e11b - main - sctp: Release the socket reference when detaching an association
Message-ID:  <202109011428.181ESiDJ027503@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=65f30a39e11bbbab927dbd2ca8de5ec5fc6af7ca

commit 65f30a39e11bbbab927dbd2ca8de5ec5fc6af7ca
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-09-01 14:27:31 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-09-01 14:27:31 +0000

    sctp: Release the socket reference when detaching an association
    
    Later in sctp_free_assoc(), when we clean up chunk lists,
    sctp_free_spbufspace() is used to reset the byte count in the socket
    send buffer.  However, if the PCB is going away, the socket may already
    have been detached from the PCB, in which case this becomes a use-after
    free.  Clear the socket reference from the association before detaching
    it from the PCB, if the PCB has already lost its socket reference.
    
    Reviewed by:    tuexen
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D31753
---
 sys/netinet/sctp_pcb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 7aa20b5e14b9..2b8653ac8109 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -4900,6 +4900,9 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfre
 	if (stcb->asoc.in_asocid_hash) {
 		LIST_REMOVE(stcb, sctp_tcbasocidhash);
 	}
+	if (inp->sctp_socket == NULL) {
+		stcb->sctp_socket = NULL;
+	}
 	/* Now lets remove it from the list of ALL associations in the EP */
 	LIST_REMOVE(stcb, sctp_tcblist);
 	if (from_inpcbfree == SCTP_NORMAL_PROC) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109011428.181ESiDJ027503>