From: Xin Long <lucien.xin@xxxxxxxxx> Date: Mon, 29 Oct 2018 23:10:29 +0800 > If a transport is removed by asconf but there still are some chunks with > this transport queuing on out_chunk_list, later an use-after-free issue > will be caused when accessing this transport from these chunks in > sctp_outq_flush(). > > This is an old bug, we fix it by clearing the transport of these chunks > in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). > > Reported-by: syzbot+56a40ceee5fb35932f4d@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> Applied.
