diff options
author | tuexen <tuexen@FreeBSD.org> | 2015-05-29 13:23:16 +0000 |
---|---|---|
committer | tuexen <tuexen@FreeBSD.org> | 2015-05-29 13:23:16 +0000 |
commit | 443fcce7c93616c27ca0748213e5b268ad3dab8e (patch) | |
tree | 91c59c6336effd02348a14fd13a7c7004f5f7b71 | |
parent | 6fa1d035cba1a76bd3d08ca33e390029039c3a7e (diff) | |
download | FreeBSD-src-443fcce7c93616c27ca0748213e5b268ad3dab8e.zip FreeBSD-src-443fcce7c93616c27ca0748213e5b268ad3dab8e.tar.gz |
MFC r280642:
Make sure that we don't free an SCTP shared key too early.
Thanks to Pouyan Sepehrdad from Qualcomm Product Security Initiative
for reporting the issue.
-rw-r--r-- | sys/netinet/sctp_auth.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c index 8ce2aab..7c2e194 100644 --- a/sys/netinet/sctp_auth.c +++ b/sys/netinet/sctp_auth.c @@ -576,13 +576,12 @@ sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t key_id, int so_locked /* decrement the ref count */ if (skey) { - sctp_free_sharedkey(skey); SCTPDBG(SCTP_DEBUG_AUTH2, "%s: stcb %p key %u refcount release to %d\n", __FUNCTION__, (void *)stcb, key_id, skey->refcount); /* see if a notification should be generated */ - if ((skey->refcount <= 1) && (skey->deactivated)) { + if ((skey->refcount <= 2) && (skey->deactivated)) { /* notify ULP that key is no longer used */ sctp_ulp_notify(SCTP_NOTIFY_AUTH_FREE_KEY, stcb, key_id, 0, so_locked); @@ -590,6 +589,7 @@ sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t key_id, int so_locked "%s: stcb %p key %u no longer used, %d\n", __FUNCTION__, (void *)stcb, key_id, skey->refcount); } + sctp_free_sharedkey(skey); } } |