Fix the check for updating an SCTP-AUTH key.

This bug could result in a use-after-free situation. Thanks to 邵大成 <[email protected]> for reporting the issue.
sctplab · Sep 17, 2019 · c00245f · c00245f
1 parent 7e28028
commit c00245f
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/netinet/sctp_auth.c b/netinet/sctp_auth.c
@@ -34,7 +34,8 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 339042 2018-10-01 14:05:31Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 352438 2019-09-17 09:46:42Z tuexen $");
+
 #endif
 
 #include <netinet/sctp_os.h>
@@ -525,7 +526,7 @@ sctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
 		} else if (new_skey->keyid == skey->keyid) {
 			/* replace the existing key */
 			/* verify this key *can* be replaced */
-			if ((skey->deactivated) && (skey->refcount > 1)) {
+			if ((skey->deactivated) || (skey->refcount > 1)) {
 				SCTPDBG(SCTP_DEBUG_AUTH1,
 					"can't replace shared key id %u\n",
 					new_skey->keyid);