Fix a potential use-after-free bug introduced in

https://svnweb.freebsd.org/changeset/base/363046

Thanks to Taylor Brandstetter for finding this issue using fuzz testing
and reporting it in https://github.com/sctplab/usrsctp/issues/547

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 1ad65ac48c76..08af27c934fb 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -5494,7 +5494,7 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb,
 	unsigned int i, fwd_sz, m_size;
 	uint32_t str_seq;
 	struct sctp_stream_in *strm;
-	struct sctp_queued_to_read *control, *sv;
+	struct sctp_queued_to_read *control, *ncontrol, *sv;
 
 	asoc = &stcb->asoc;
 	if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
@@ -5654,14 +5654,14 @@ sctp_handle_forward_tsn(struct sctp_tcb *stcb,
 			}
 			strm = &asoc->strmin[sid];
 			if (ordered) {
-				TAILQ_FOREACH(control, &strm->inqueue, next_instrm) {
+				TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, ncontrol) {
 					if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
 						sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
 					}
 				}
 			} else {
 				if (asoc->idata_supported) {
-					TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) {
+					TAILQ_FOREACH_SAFE(control, &strm->uno_inqueue, next_instrm, ncontrol) {
 						if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
 							sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
 						}