The branch main has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4250aa1188b5622a6cef871003abd4a50067bdae
commit 4250aa1188b5622a6cef871003abd4a50067bdae
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2021-09-09 12:33:26 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2021-09-09 12:33:26 +0000
sctp: Clear assoc socket references when freeing a PCB
This restores behaviour present in the first import of SCTP. Commit
ceaad40ae729dea2c5d8ffcfdd45bb96fb8969d2 commented this out and commit
62fb761ff28bb184a2543e539dd689fefd5d3246 removed it. However, once
sctp_inpcb_free() returns, the socket reference is gone no matter what,
so we need to clear it.
Reported by: syzbot+30dd69297fcbc5f0e...@syzkaller.appspotmail.com
Reported by: syzbot+7b2f9d4bcac1c9569...@syzkaller.appspotmail.com
Reported by: syzbot+ed3e651f7d040af48...@syzkaller.appspotmail.com
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31886
---
sys/netinet/sctp_pcb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 82b7157c7ad7..e571f80e472a 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -3358,6 +3358,7 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate,
int from)
LIST_FOREACH_SAFE(asoc, &inp->sctp_asoc_list, sctp_tcblist,
nasoc) {
SCTP_TCB_LOCK(asoc);
if (asoc->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
+ asoc->sctp_socket = NULL;
/* Skip guys being freed */
cnt_in_sd++;
if (asoc->asoc.state &
SCTP_STATE_IN_ACCEPT_QUEUE) {
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"
