From owner-dev-commits-src-branches@freebsd.org Wed Sep 8 12:41:50 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5F7A567A1D5; Wed, 8 Sep 2021 12:41:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H4MG624kQz3h3Z; Wed, 8 Sep 2021 12:41:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1650626159; Wed, 8 Sep 2021 12:41:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 188CfnkB065255; Wed, 8 Sep 2021 12:41:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 188CfnWu065254; Wed, 8 Sep 2021 12:41:49 GMT (envelope-from git) Date: Wed, 8 Sep 2021 12:41:49 GMT Message-Id: <202109081241.188CfnWu065254@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 6bfe4afe73b3 - stable/13 - sctp: Release the socket reference when detaching an association MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 6bfe4afe73b392939061c0a54883f5067452f859 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2021 12:41:50 -0000 The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6bfe4afe73b392939061c0a54883f5067452f859 commit 6bfe4afe73b392939061c0a54883f5067452f859 Author: Mark Johnston AuthorDate: 2021-09-01 14:27:31 +0000 Commit: Mark Johnston CommitDate: 2021-09-08 12:40:36 +0000 sctp: Release the socket reference when detaching an association Later in sctp_free_assoc(), when we clean up chunk lists, sctp_free_spbufspace() is used to reset the byte count in the socket send buffer. However, if the PCB is going away, the socket may already have been detached from the PCB, in which case this becomes a use-after free. Clear the socket reference from the association before detaching it from the PCB, if the PCB has already lost its socket reference. Reviewed by: tuexen Sponsored by: The FreeBSD Foundation (cherry picked from commit 65f30a39e11bbbab927dbd2ca8de5ec5fc6af7ca) --- sys/netinet/sctp_pcb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index fc3cd79c5d87..fb3b9fe6bdb8 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -4883,6 +4883,9 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfre if (stcb->asoc.in_asocid_hash) { LIST_REMOVE(stcb, sctp_tcbasocidhash); } + if (inp->sctp_socket == NULL) { + stcb->sctp_socket = NULL; + } /* Now lets remove it from the list of ALL associations in the EP */ LIST_REMOVE(stcb, sctp_tcblist); if (from_inpcbfree == SCTP_NORMAL_PROC) {