aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVlad Yasevich <vladislav.yasevich@hp.com>2010-04-28 08:47:19 +0000
committerGreg Kroah-Hartman <gregkh@suse.de>2010-05-12 15:02:57 -0700
commitc9d7c3032e4d5850c4e019c186336466aa429626 (patch)
tree8bf6717ed9c1e617a6ec64018542c80541155cb5
parentfbcf931163be5f6c34cad7f00dc59ed83146e158 (diff)
sctp: fix potential reference of a freed pointer
[ Upstream commit 0c42749cffbb4a06be86c5e5db6c7ebad548781f ] When sctp attempts to update an assocition, it removes any addresses that were not in the updated INITs. However, the loop may attempt to refrence a transport with address after removing it. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/sctp/associola.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index df5abbff63e..99c93ee98ad 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1194,8 +1194,10 @@ void sctp_assoc_update(struct sctp_association *asoc,
/* Remove any peer addresses not present in the new association. */
list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
trans = list_entry(pos, struct sctp_transport, transports);
- if (!sctp_assoc_lookup_paddr(new, &trans->ipaddr))
- sctp_assoc_del_peer(asoc, &trans->ipaddr);
+ if (!sctp_assoc_lookup_paddr(new, &trans->ipaddr)) {
+ sctp_assoc_rm_peer(asoc, trans);
+ continue;
+ }
if (asoc->state >= SCTP_STATE_ESTABLISHED)
sctp_transport_reset(trans);