Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick ffed0925f2 from WebRTC. #25853

Merged
merged 1 commit into from Oct 13, 2020
Merged

chore: cherry-pick ffed0925f2 from WebRTC. #25853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 3 additions & 1 deletion patches/config.json
View file
Open in desktop
Expand Up @@ -5,5 +5,7 @@

"src/electron/patches/v8": "src/v8",

"src/electron/patches/node": "src/third_party/electron_node"
"src/electron/patches/node": "src/third_party/electron_node",

"src/electron/patches/usrsctp": "src/third_party/usrsctp/usrsctplib"
}
1 change: 1 addition & 0 deletions patches/usrsctp/.patches
View file
Open in desktop
@@ -0,0 +1 @@
fix_a_use-after-free_bug_for_the_userland_stack.patch
49 changes: 49 additions & 0 deletions patches/usrsctp/fix_a_use-after-free_bug_for_the_userland_stack.patch
View file
Open in desktop
@@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pedro Pontes <pepontes@microsoft.com>
Date: Fri, 9 Oct 2020 18:03:51 +0200
Subject: Fix a use-after-free bug for the userland stack.

Backports https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019?branch=ffed0925f27d404173c1e3e750d818f432d2c019

diff --git a/usrsctplib/netinet/sctp_indata.c b/usrsctplib/netinet/sctp_indata.c
index 8b332355a5bfe5c25fa4fcc4afe4a740957a9075..38e1a9196f514bd480e5f4e5e34609ba0d910762 100755
--- a/usrsctplib/netinet/sctp_indata.c
+++ b/usrsctplib/netinet/sctp_indata.c
@@ -1694,6 +1694,7 @@ sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
int *break_flag, int last_chunk, uint8_t chk_type)
{
struct sctp_tmit_chunk *chk = NULL; /* make gcc happy */
+ struct sctp_stream_in *strm;
uint32_t tsn, fsn, gap, mid;
struct mbuf *dmbuf;
int the_len;
@@ -2329,12 +2330,13 @@ finish_express_del:
/* All can be removed */
TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
+ strm = &asoc->strmin[control->sinfo_stream];
sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
if (*abort_flag) {
return (0);
}
if (need_reasm_check) {
- (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+ (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
need_reasm_check = 0;
}
}
@@ -2349,12 +2351,13 @@ finish_express_del:
* control->sinfo_tsn > liste->tsn
*/
TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
+ strm = &asoc->strmin[control->sinfo_stream];
sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
if (*abort_flag) {
return (0);
}
if (need_reasm_check) {
- (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
+ (void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
need_reasm_check = 0;
}
}