From: Xin Long <lucien....@gmail.com> Date: Mon, 29 Oct 2018 23:10:29 +0800
> If a transport is removed by asconf but there still are some chunks with > this transport queuing on out_chunk_list, later an use-after-free issue > will be caused when accessing this transport from these chunks in > sctp_outq_flush(). > > This is an old bug, we fix it by clearing the transport of these chunks > in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). > > Reported-by: syzbot+56a40ceee5fb35932...@syzkaller.appspotmail.com > Signed-off-by: Xin Long <lucien....@gmail.com> Applied.
