Ensure that the SCTP iterator runs with an stcb and inp, which belong to

each other. Reported by: syzbot+82d39d14f2f765e38db0@syzkaller.appspotmail.com MFC after: 3 days
freebsd · May 10, 2020 · c3ef0c2 · c3ef0c2
1 parent 6c9202d
commit c3ef0c2
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c
@@ -1489,6 +1489,7 @@ sctp_iterator_work(struct sctp_iterator *it)
 		}
 		tinp = it->inp;
 		it->inp = LIST_NEXT(it->inp, sctp_list);
+		it->stcb = NULL;
 		SCTP_INP_RUNLOCK(tinp);
 		if (it->inp == NULL) {
 			goto done_with_iterator;
@@ -1558,6 +1559,9 @@ sctp_iterator_work(struct sctp_iterator *it)
 			atomic_add_int(&it->stcb->asoc.refcnt, -1);
 			iteration_count = 0;
 		}
+		KASSERT(it->inp == it->stcb->sctp_ep,
+		        ("%s: stcb %p does not belong to inp %p, but inp %p",
+		         __func__, it->stcb, it->inp, it->stcb->sctp_ep));
 
 		/* run function on this one */
 		(*it->function_assoc) (it->inp, it->stcb, it->pointer, it->val);
@@ -1590,6 +1594,7 @@ sctp_iterator_work(struct sctp_iterator *it)
 	} else {
 		it->inp = LIST_NEXT(it->inp, sctp_list);
 	}
+	it->stcb = NULL;
 	if (it->inp == NULL) {
 		goto done_with_iterator;
 	}