The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=c98bf2a45e0527e7c1958f0a311cb2be072f1411
commit c98bf2a45e0527e7c1958f0a311cb2be072f1411 Author: Mark Johnston <[email protected]> AuthorDate: 2021-09-01 14:28:17 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2021-09-01 14:28:17 +0000 sctp: Always check for a vanishing inpcb when processing COOKIE-ECHO We previously did this only in the normal case where no association exists yet. However, it is not safe to process COOKIE-ECHO even if an association exists, as sctp_process_cookie_existing() may dereference the socket pointer. See also commit 0c7dc84076b64ef74c24f04400d572f75ef61bb4. Reviewed by: tuexen MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31755 --- sys/netinet/sctp_input.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index f579d10333fb..61455e47dd71 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -4895,6 +4895,11 @@ process_control_chunks: struct sctp_inpcb *linp; struct sctp_tmit_chunk *chk; + if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE | + SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { + goto abend; + } + if (stcb) { linp = NULL; } else { @@ -4903,11 +4908,6 @@ process_control_chunks: if (linp != NULL) { SCTP_ASOC_CREATE_LOCK(linp); - if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || - (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { - SCTP_ASOC_CREATE_UNLOCK(linp); - goto abend; - } } if (netp != NULL) { _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main To unsubscribe, send any mail to "[email protected]"
