From: Alexey Simakov <a.simakov@securitycode.ru>
To: <marcelo.leitner@gmail.com>
Cc: Alexey Simakov <a.simakov@securitycode.ru>,
<lucien.xin@gmail.com>, <davem@davemloft.net>,
<edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>,
<horms@kernel.org>, <linux-sctp@vger.kernel.org>,
<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<lvc-project@linuxtesting.org>
Subject: [PATCH] sctp: fix null deref in sctp_sf_do_5_1D_ce()
Date: Mon, 22 Sep 2025 19:15:55 +0300 [thread overview]
Message-ID: <20250922161557.2716-2-a.simakov@securitycode.ru> (raw)
The check of new_asoc->peer.adaptation_ind can fail,
leaving ai_ev uninitialized. In that case, the code
can jump to the nomem_authdev label and later call
sctp_ulpevent_free() with a null ai_ev pointer.
Leading to a potential null dereference.
Add check of ai_ev pointer before call of
sctp_ulpevent_free function.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT")
Signed-off-by: Alexey Simakov <a.simakov@securitycode.ru>
---
net/sctp/sm_statefuns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a0524ba8d787..93cac73472c7 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -885,7 +885,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
return SCTP_DISPOSITION_CONSUME;
nomem_authev:
- sctp_ulpevent_free(ai_ev);
+ if (ai_ev)
+ sctp_ulpevent_free(ai_ev);
nomem_aiev:
sctp_ulpevent_free(ev);
nomem_ev:
--
2.34.1
Заявление о конфиденциальности
Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.
WARNING: multiple messages have this Message-ID (diff)
From: Alexey Simakov <a.simakov@securitycode.ru>
To: <marcelo.leitner@gmail.com>
Cc: Alexey Simakov <a.simakov@securitycode.ru>,
<lucien.xin@gmail.com>, <davem@davemloft.net>,
<edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>,
<horms@kernel.org>, <linux-sctp@vger.kernel.org>,
<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<lvc-project@linuxtesting.org>
Subject: [PATCH] sctp: fix null deref in sctp_sf_do_5_1D_ce()
Date: Mon, 22 Sep 2025 19:15:55 +0300 [thread overview]
Message-ID: <20250922161557.2716-2-a.simakov@securitycode.ru> (raw)
The check of new_asoc->peer.adaptation_ind can fail,
leaving ai_ev uninitialized. In that case, the code
can jump to the nomem_authdev label and later call
sctp_ulpevent_free() with a null ai_ev pointer.
Leading to a potential null dereference.
Add check of ai_ev pointer before call of
sctp_ulpevent_free function.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT")
Signed-off-by: Alexey Simakov <a.simakov@securitycode.ru>
---
net/sctp/sm_statefuns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a0524ba8d787..93cac73472c7 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -885,7 +885,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
return SCTP_DISPOSITION_CONSUME;
nomem_authev:
- sctp_ulpevent_free(ai_ev);
+ if (ai_ev)
+ sctp_ulpevent_free(ai_ev);
nomem_aiev:
sctp_ulpevent_free(ev);
nomem_ev:
--
2.34.1
next reply other threads:[~2025-09-22 16:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-22 16:15 Alexey Simakov [this message]
2025-09-22 16:15 ` [PATCH] sctp: fix null deref in sctp_sf_do_5_1D_ce() Alexey Simakov
2025-09-22 17:22 ` Xin Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250922161557.2716-2-a.simakov@securitycode.ru \
--to=a.simakov@securitycode.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=lvc-project@linuxtesting.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.