diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-09-01 14:27:31 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-09-08 12:40:36 +0000 |
| commit | 6bfe4afe73b392939061c0a54883f5067452f859 (patch) | |
| tree | c52f2a40f7510e27001eb4e2401d1a817c543dbd /sys/netinet | |
| parent | d30602a2b4952571ca4dcf302422cd86f4bfaa6a (diff) | |
sctp: Release the socket reference when detaching an association
Later in sctp_free_assoc(), when we clean up chunk lists,
sctp_free_spbufspace() is used to reset the byte count in the socket
send buffer. However, if the PCB is going away, the socket may already
have been detached from the PCB, in which case this becomes a use-after
free. Clear the socket reference from the association before detaching
it from the PCB, if the PCB has already lost its socket reference.
Reviewed by: tuexen
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 65f30a39e11bbbab927dbd2ca8de5ec5fc6af7ca)
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/sctp_pcb.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index fc3cd79c5d87..fb3b9fe6bdb8 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -4883,6 +4883,9 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfre if (stcb->asoc.in_asocid_hash) { LIST_REMOVE(stcb, sctp_tcbasocidhash); } + if (inp->sctp_socket == NULL) { + stcb->sctp_socket = NULL; + } /* Now lets remove it from the list of ALL associations in the EP */ LIST_REMOVE(stcb, sctp_tcblist); if (from_inpcbfree == SCTP_NORMAL_PROC) { |