From owner-svn-src-stable@FreeBSD.ORG Fri May 29 13:23:17 2015 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A11D9183; Fri, 29 May 2015 13:23:17 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F0AE1DC0; Fri, 29 May 2015 13:23:17 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t4TDNHUt058549; Fri, 29 May 2015 13:23:17 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t4TDNHto058548; Fri, 29 May 2015 13:23:17 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <201505291323.t4TDNHto058548@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Fri, 29 May 2015 13:23:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r283734 - stable/10/sys/netinet X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2015 13:23:17 -0000 Author: tuexen Date: Fri May 29 13:23:16 2015 New Revision: 283734 URL: https://svnweb.freebsd.org/changeset/base/283734 Log: MFC r280642: Make sure that we don't free an SCTP shared key too early. Thanks to Pouyan Sepehrdad from Qualcomm Product Security Initiative for reporting the issue. Modified: stable/10/sys/netinet/sctp_auth.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netinet/sctp_auth.c ============================================================================== --- stable/10/sys/netinet/sctp_auth.c Fri May 29 13:20:39 2015 (r283733) +++ stable/10/sys/netinet/sctp_auth.c Fri May 29 13:23:16 2015 (r283734) @@ -576,13 +576,12 @@ sctp_auth_key_release(struct sctp_tcb *s /* decrement the ref count */ if (skey) { - sctp_free_sharedkey(skey); SCTPDBG(SCTP_DEBUG_AUTH2, "%s: stcb %p key %u refcount release to %d\n", __FUNCTION__, (void *)stcb, key_id, skey->refcount); /* see if a notification should be generated */ - if ((skey->refcount <= 1) && (skey->deactivated)) { + if ((skey->refcount <= 2) && (skey->deactivated)) { /* notify ULP that key is no longer used */ sctp_ulp_notify(SCTP_NOTIFY_AUTH_FREE_KEY, stcb, key_id, 0, so_locked); @@ -590,6 +589,7 @@ sctp_auth_key_release(struct sctp_tcb *s "%s: stcb %p key %u no longer used, %d\n", __FUNCTION__, (void *)stcb, key_id, skey->refcount); } + sctp_free_sharedkey(skey); } }