diff options
| author | tuexen <tuexen@FreeBSD.org> | 2015-03-25 22:45:54 +0000 |
|---|---|---|
| committer | tuexen <tuexen@FreeBSD.org> | 2015-03-25 22:45:54 +0000 |
| commit | 7ca13bb5b0e002377f2960d2a52d0ed422444506 (patch) | |
| tree | a8d81786a1fa81ea57affc3476ab8d8da7d20f65 /sys/netinet | |
| parent | b24b75c0748d2a95d185126b24c0a2a5b768cdc9 (diff) | |
| download | FreeBSD-src-7ca13bb5b0e002377f2960d2a52d0ed422444506.zip FreeBSD-src-7ca13bb5b0e002377f2960d2a52d0ed422444506.tar.gz | |
Make sure that we don't free an SCTP shared key too early.
Thanks to Pouyan Sepehrdad from Qualcomm Product Security Initiative
for reporting the issue.
MFC after: 3 days
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/sctp_auth.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c index 8ce2aab..7c2e194 100644 --- a/sys/netinet/sctp_auth.c +++ b/sys/netinet/sctp_auth.c @@ -576,13 +576,12 @@ sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t key_id, int so_locked /* decrement the ref count */ if (skey) { - sctp_free_sharedkey(skey); SCTPDBG(SCTP_DEBUG_AUTH2, "%s: stcb %p key %u refcount release to %d\n", __FUNCTION__, (void *)stcb, key_id, skey->refcount); /* see if a notification should be generated */ - if ((skey->refcount <= 1) && (skey->deactivated)) { + if ((skey->refcount <= 2) && (skey->deactivated)) { /* notify ULP that key is no longer used */ sctp_ulp_notify(SCTP_NOTIFY_AUTH_FREE_KEY, stcb, key_id, 0, so_locked); @@ -590,6 +589,7 @@ sctp_auth_key_release(struct sctp_tcb *stcb, uint16_t key_id, int so_locked "%s: stcb %p key %u no longer used, %d\n", __FUNCTION__, (void *)stcb, key_id, skey->refcount); } + sctp_free_sharedkey(skey); } } |
