Skip to content

Commit 559f749

Browse files
tuexenAllan Sandfeld Jensen
tuexen
authored and
Allan Sandfeld Jensen
committed
[Backport] CVE-2021-30523: Use after free in WebRTC
Manual backport of patch cherry-picked on https://chromium-review.googlesource.com/c/chromium/src/+/2893189: Cherry pick: Improve restart handling. This fixes in particular a possible use after free bug reported Anatoly Korniltsev and Taylor Brandstetter for the userland stack Change-Id: Iac58373f368e198f7f799fd8f9a262521ed5c43c Reviewed-by: Allan Sandfeld Jensen <[email protected]>
1 parent 7948bec commit 559f749

File tree

1 file changed

+12
-8
lines changed
  • chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet

1 file changed

+12
-8
lines changed

chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_input.c

+12-8
Original file line numberDiff line numberDiff line change
@@ -2015,11 +2015,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
20152015
/* temp code */
20162016
if (how_indx < sizeof(asoc->cookie_how))
20172017
asoc->cookie_how[how_indx] = 12;
2018-
sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net,
2019-
SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
2020-
sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
2021-
SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
2022-
2018+
sctp_stop_association_timers(stcb, false);
20232019
/* notify upper layer */
20242020
*notification = SCTP_NOTIFY_ASSOC_RESTART;
20252021
atomic_add_int(&stcb->asoc.refcnt, 1);
@@ -2054,6 +2050,10 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
20542050
asoc->str_reset_seq_in = asoc->init_seq_number;
20552051

20562052
asoc->advanced_peer_ack_point = asoc->last_acked_seq;
2053+
asoc->data_pkts_seen = 0;
2054+
asoc->last_data_chunk_from = NULL;
2055+
asoc->last_control_chunk_from = NULL;
2056+
asoc->last_net_cmt_send_started = NULL;
20572057
if (asoc->mapping_array) {
20582058
memset(asoc->mapping_array, 0,
20592059
asoc->mapping_array_size);
@@ -2118,6 +2118,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
21182118
SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
21192119
SCTP_DECR_CHK_COUNT();
21202120
}
2121+
asoc->ctrl_queue_cnt = 0;
2122+
asoc->str_reset = NULL;
2123+
asoc->stream_reset_outstanding = 0;
21212124
TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
21222125
TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
21232126
if (chk->data) {
@@ -2189,12 +2192,13 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
21892192
return (NULL);
21902193
}
21912194
/* respond with a COOKIE-ACK */
2192-
sctp_stop_all_cookie_timers(stcb);
2193-
sctp_toss_old_cookies(stcb, asoc);
21942195
sctp_send_cookie_ack(stcb);
21952196
if (how_indx < sizeof(asoc->cookie_how))
21962197
asoc->cookie_how[how_indx] = 15;
2197-
2198+
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) &&
2199+
(asoc->sctp_autoclose_ticks > 0)) {
2200+
sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2201+
}
21982202
return (stcb);
21992203
}
22002204
if (how_indx < sizeof(asoc->cookie_how))

0 commit comments

Comments
 (0)