From: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> Date: Tue, 2 Jan 2018 19:44:37 -0200 > syzbot noticed a NULL pointer dereference panic in sctp_stream_free() > which was caused by an incomplete error handling in sctp_stream_init(). > By not clearing stream->outcnt, it made a for() in sctp_stream_free() > think that it had elements to free, but not, leading to the panic. > > As suggested by Xin Long, this patch also simplifies the error path by > moving it to the only if() that uses it. > > See-also: https://www.spinics.net/lists/netdev/msg473756.html > See-also: https://www.spinics.net/lists/netdev/msg465024.html > Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> > Fixes: f952be79cebd ("sctp: introduce struct sctp_stream_out_ext") > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> Applied, thank you. -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
