Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Aug 2020 22:54:30 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r364585 - stable/12/sys/netinet
Message-ID:  <202008232254.07NMsUoF017754@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: tuexen
Date: Sun Aug 23 22:54:30 2020
New Revision: 364585
URL: https://svnweb.freebsd.org/changeset/base/364585

Log:
  MFC r361116:
  Ensure that an stcb is not dereferenced when it is about to be
  freed.
  This issue was found by SYZKALLER.

Modified:
  stable/12/sys/netinet/sctp_indata.c
  stable/12/sys/netinet/sctp_indata.h
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netinet/sctp_indata.c
==============================================================================
--- stable/12/sys/netinet/sctp_indata.c	Sun Aug 23 22:52:47 2020	(r364584)
+++ stable/12/sys/netinet/sctp_indata.c	Sun Aug 23 22:54:30 2020	(r364585)
@@ -164,6 +164,9 @@ sctp_build_readq_entry(struct sctp_tcb *stcb,
 	read_queue_e->data = dm;
 	read_queue_e->stcb = stcb;
 	read_queue_e->port_from = stcb->rport;
+	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
+		read_queue_e->do_not_ref_stcb = 1;
+	}
 failed_build:
 	return (read_queue_e);
 }
@@ -775,6 +778,7 @@ sctp_build_readq_entry_from_ctl(struct sctp_queued_to_
 	atomic_add_int(&nc->whoFrom->ref_count, 1);
 	nc->stcb = control->stcb;
 	nc->port_from = control->port_from;
+	nc->do_not_ref_stcb = control->do_not_ref_stcb;
 }
 
 static void

Modified: stable/12/sys/netinet/sctp_indata.h
==============================================================================
--- stable/12/sys/netinet/sctp_indata.h	Sun Aug 23 22:52:47 2020	(r364584)
+++ stable/12/sys/netinet/sctp_indata.h	Sun Aug 23 22:54:30 2020	(r364585)
@@ -68,6 +68,9 @@ sctp_build_readq_entry(struct sctp_tcb *stcb,
 		(_ctl)->data = dm; \
 		(_ctl)->stcb = (in_it); \
 		(_ctl)->port_from = (in_it)->rport; \
+		if ((in_it)->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { \
+			(_ctl)->do_not_ref_stcb = 1; \
+		}\
 	} \
 } while (0)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008232254.07NMsUoF017754>