upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-04-27 09:06:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

sctp: Always check for a vanishing inpcb when processing COOKIE-ECHO

Browse source 
We previously did this only in the normal case where no association
exists yet.  However, it is not safe to process COOKIE-ECHO even if an
association exists, as sctp_process_cookie_existing() may dereference
the socket pointer.

See also commit 0c7dc84076.

Reviewed by:	tuexen
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31755
This commit is contained in:
Mark Johnston 2021-09-01 10:28:17 -04:00
parent d35be50f57
commit c98bf2a45e
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
sys/netinet/sctp_input.c
View file

@ -4895,6 +4895,11 @@ process_control_chunks:
struct sctp_inpcb *linp;
struct sctp_tmit_chunk *chk;
if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE |
SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
goto abend;
}
if (stcb) {
linp = NULL;
} else {
@ -4903,11 +4908,6 @@ process_control_chunks:
if (linp != NULL) {
SCTP_ASOC_CREATE_LOCK(linp);
if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
(inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
SCTP_ASOC_CREATE_UNLOCK(linp);
goto abend;
}
}
if (netp != NULL) {