The branch main has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=eeba222172170c380450004fdceac80c3612b1e8
commit eeba222172170c380450004fdceac80c3612b1e8
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2022-04-15 12:00:00 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2022-04-15 12:00:00 +0000
sctp: don't keep a pointer to a freed stcb around
Reported by: syzbot+b9ef06efdae7cb9ee...@syzkaller.appspotmail.com
Reported by: syzbot+b1e4793e0e6b25b0d...@syzkaller.appspotmail.com
MFC after: 3 days
---
sys/netinet/sctp_pcb.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 4853729dca84..7b340910c2a8 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -3371,8 +3371,10 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate,
int from)
cnt_in_sd = 0;
LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_list, sctp_tcblist,
nstcb) {
SCTP_TCB_LOCK(stcb);
+ /* Disconnect the socket please. */
+ stcb->sctp_socket = NULL;
+ SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
- stcb->sctp_socket = NULL;
/* Skip guys being freed */
cnt_in_sd++;
if (stcb->asoc.state &
SCTP_STATE_IN_ACCEPT_QUEUE) {
@@ -3404,9 +3406,6 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate,
int from)
}
continue;
}
- /* Disconnect the socket please */
- stcb->sctp_socket = NULL;
- SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
if ((stcb->asoc.size_on_reasm_queue > 0) ||
(stcb->asoc.control_pdapi) ||
(stcb->asoc.size_on_all_streams > 0) ||
