- sctputil.c - If debug is on, the INPKILL timer can deref a freed value.

               Change so that we save off a type field for display and
               NULL inp just for good measure.

- sctp_output.c - Fix it so in sending to the loopback we use the
                  src address of the inbound INIT. We don't want
                  to do this for non local addresses since otherwise
                  we might be ingressed filtered so we need to use
                  the best src address and list the address sent to.

Obtained from:	time bug - Neil Wilson
MFC after:	1 week

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c
index 05082ac..2fef0e0 100644
--- a/sys/netinet/sctputil.c
+++ b/sys/netinet/sctputil.c
@@ -1420,7 +1420,7 @@ sctp_timeout_handler(void *t)
 	struct socket *so;
 
 #endif
-	int did_output;
+	int did_output, type;
 	struct sctp_iterator *it = NULL;
 
 	tmr = (struct sctp_timer *)t;
@@ -1460,6 +1460,7 @@ sctp_timeout_handler(void *t)
 		it = (struct sctp_iterator *)inp;
 		inp = NULL;
 	}
+	type = tmr->type;
 	if (inp) {
 		SCTP_INP_INCR_REF(inp);
 		if ((inp->sctp_socket == 0) &&
@@ -1838,6 +1839,7 @@ sctp_timeout_handler(void *t)
 		sctp_timer_stop(SCTP_TIMER_TYPE_INPKILL, inp, NULL, NULL, SCTP_FROM_SCTPUTIL + SCTP_LOC_3);
 		sctp_inpcb_free(inp, SCTP_FREE_SHOULD_USE_ABORT,
 		    SCTP_CALLED_DIRECTLY_NOCMPSET);
+		inp = NULL;
 		goto out_no_decr;
 	default:
 		SCTPDBG(SCTP_DEBUG_TIMER1, "sctp_timeout_handler:unknown timer %d\n",
@@ -1869,9 +1871,7 @@ out_decr:
 	}
 out_no_decr:
 	SCTPDBG(SCTP_DEBUG_TIMER1, "Timer now complete (type %d)\n",
-	    tmr->type);
-	if (inp) {
-	}
+	    type);
 }
 
 void