Fix the check for updating an SCTP-AUTH key.
This bug could result in a use-after-free situation. Thanks
to \xe9\x82\xb5\xe5\xa4\xa7\xe6\x88\x90 <da_cheng_shao@yeah.net>
for reporting the issue.
diff --git a/usrsctplib/netinet/sctp_auth.c b/usrsctplib/netinet/sctp_auth.c
index db8133d..5cd8d31 100755
--- a/usrsctplib/netinet/sctp_auth.c
+++ b/usrsctplib/netinet/sctp_auth.c
@@ -34,7 +34,8 @@
#ifdef __FreeBSD__
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 339042 2018-10-01 14:05:31Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 352438 2019-09-17 09:46:42Z tuexen $");
+
#endif
#include <netinet/sctp_os.h>
@@ -525,7 +526,7 @@
} else if (new_skey->keyid == skey->keyid) {
/* replace the existing key */
/* verify this key *can* be replaced */
- if ((skey->deactivated) && (skey->refcount > 1)) {
+ if ((skey->deactivated) || (skey->refcount > 1)) {
SCTPDBG(SCTP_DEBUG_AUTH1,
"can't replace shared key id %u\n",
new_skey->keyid);