Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0c42749c authored by Vlad Yasevich's avatar Vlad Yasevich Committed by David S. Miller
Browse files

sctp: fix potential reference of a freed pointer 



When sctp attempts to update an assocition, it removes any
addresses that were not in the updated INITs.  However, the loop
may attempt to refrence a transport with address after removing it.

Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 561b1733

net/sctp/associola.c

+4 −2
Original line number Diff line number Diff line
@@ -1194,8 +1194,10 @@ void sctp_assoc_update(struct sctp_association *asoc, 
	/* Remove any peer addresses not present in the new association. */

	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {

		trans = list_entry(pos, struct sctp_transport, transports);

		if (!sctp_assoc_lookup_paddr(new, &trans->ipaddr))

			sctp_assoc_del_peer(asoc, &trans->ipaddr);

		if (!sctp_assoc_lookup_paddr(new, &trans->ipaddr)) {

			sctp_assoc_rm_peer(asoc, trans);

			continue;

		}



		if (asoc->state >= SCTP_STATE_ESTABLISHED)

			sctp_transport_reset(trans);