From: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Date: Tue, 2 Jan 2018 19:44:37 -0200
> syzbot noticed a NULL pointer dereference panic in sctp_stream_free() > which was caused by an incomplete error handling in sctp_stream_init(). > By not clearing stream->outcnt, it made a for() in sctp_stream_free() > think that it had elements to free, but not, leading to the panic. > > As suggested by Xin Long, this patch also simplifies the error path by > moving it to the only if() that uses it. > > See-also: https://www.spinics.net/lists/netdev/msg473756.html > See-also: https://www.spinics.net/lists/netdev/msg465024.html > Reported-by: syzbot <syzkal...@googlegroups.com> > Fixes: f952be79cebd ("sctp: introduce struct sctp_stream_out_ext") > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Applied, thank you.
