Fix the check for updating an SCTP-AUTH key. This bug could result in a use-after-free situation. Thanks to \xe9\x82\xb5\xe5\xa4\xa7\xe6\x88\x90 <da_cheng_shao@yeah.net> for reporting the issue.

commit: 928bf9cc66892c809fcfb6c7985887a1f381aac4 [log] [tgz]
author: Michael Tuexen <tuexen@fh-muenster.de> Tue Sep 17 12:08:45 2019 +0200
committer: Michael Tuexen <tuexen@fh-muenster.de> Tue Sep 17 12:08:45 2019 +0200
tree: 97a8dfd933a5ed02e788e9f0c610765f693d8c37
parent: 237fc694b85963cf925e66c97de3207a28f08e6c [diff]
diff --git a/usrsctplib/netinet/sctp_auth.c b/usrsctplib/netinet/sctp_auth.c
index db8133d..5cd8d31 100755
--- a/usrsctplib/netinet/sctp_auth.c
+++ b/usrsctplib/netinet/sctp_auth.c

@@ -34,7 +34,8 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 339042 2018-10-01 14:05:31Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 352438 2019-09-17 09:46:42Z tuexen $");
+
 #endif
 
 #include <netinet/sctp_os.h>
@@ -525,7 +526,7 @@
 		} else if (new_skey->keyid == skey->keyid) {
 			/* replace the existing key */
 			/* verify this key *can* be replaced */
-			if ((skey->deactivated) && (skey->refcount > 1)) {
+			if ((skey->deactivated) || (skey->refcount > 1)) {
 				SCTPDBG(SCTP_DEBUG_AUTH1,
 					"can't replace shared key id %u\n",
 					new_skey->keyid);
commit	928bf9cc66892c809fcfb6c7985887a1f381aac4	[log] [tgz]
author	Michael Tuexen <tuexen@fh-muenster.de>	Tue Sep 17 12:08:45 2019 +0200
committer	Michael Tuexen <tuexen@fh-muenster.de>	Tue Sep 17 12:08:45 2019 +0200
tree	97a8dfd933a5ed02e788e9f0c610765f693d8c37
parent	237fc694b85963cf925e66c97de3207a28f08e6c [diff]