CVE-2022-49838

In the Linux kernel, the following vulnerability has been resolved:

sctp: clear out_curr if all frag chunks of current msg are pruned

A crash was reported by Zhen Chen:

listdel corruption, ffffa035ddf01c18->next is NULL WARNING: CPU: 1 PID: 250682 at lib/listdebug.c:49 __listdelentryvalid+0x59/0xe0 RIP: 0010:listdelentryvalid+0x59/0xe0 Call Trace: sctpscheddequeuecommon+0x17/0x70 [sctp] sctpschedfcfsdequeue+0x37/0x50 [sctp] sctpoutqflushdata+0x85/0x360 [sctp] sctpoutquncork+0x77/0xa0 [sctp] sctpcmdinterpreter.constprop.0+0x164/0x1450 [sctp] sctpsideeffects+0x37/0xe0 [sctp] sctpdosm+0xd0/0x230 [sctp] sctpprimitiveSEND+0x2f/0x40 [sctp] sctpsendmsgtoasoc+0x3fa/0x5c0 [sctp] sctpsendmsg+0x3d5/0x440 [sctp] socksendmsg+0x5b/0x70

and in sctpschedfcfsdequeue() it dequeued a chunk from stream outcurr outq while this outq was empty.

Normally stream->outcurr must be set to NULL once all frag chunks of current msg are dequeued, as we can see in sctpscheddequeuedone(). However, in sctpprsctppruneunsent() as it is not a proper dequeue, sctpscheddequeuedone() is not called to do this.

This patch is to fix it by simply setting outcurr to NULL when the last frag chunk of current msg is dequeued from outcurr stream in sctpprsctpprune_unsent().