[PATCH net v3] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[PATCH net v3] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[Michael Bommarito]

__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.

An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.

Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.

The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
v3:
- Simplify to a single bounds check that the whole address parameter
  fits in the chunk, written as an addition to avoid unsigned wrap
  (David Laight); drop the redundant lower-bound test and the
  param_space/plen locals (Xin Long).
v2:
- Regenerate from net/main so the patch has index lines and applies
  cleanly (Xin Long).
- Use unsigned int for the decoded length and compare it against the
  remaining parameter space after the ADDIP header (David Laight).
v2: https://lore.kernel.org/all/20260606183821.1688525-1-michael.bommarito@gmail.com/
v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/

 net/sctp/input.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index e119e460ccde0..864741fae4187 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1204,6 +1204,14 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
 	/* Skip over the ADDIP header and find the Address parameter */
 	param = (union sctp_addr_param *)(asconf + 1);
 
+	/* The whole address parameter must lie within the chunk before
+	 * af->from_addr_param() reads the variable-length address; otherwise a
+	 * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+	 * the parameter.
+	 */
+	if (sizeof(*asconf) + ntohs(param->p.length) > ntohs(ch->length))
+		return NULL;
+
 	af = sctp_get_af_specific(param_type2af(param->p.type));
 	if (unlikely(!af))
 		return NULL;

base-commit: 9988931df99cf5d68af360e1f23b9c674a0b1b4f
-- 
2.53.0

Re: [PATCH net v3] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[Xin Long]

On Mon, Jun 8, 2026 at 8:22 AM Michael Bommarito
<michael.bommarito@gmail.com> wrote:
>
> __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> chunk can hold the ADDIP header and a parameter header, then calls
> af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> trusting the parameter's declared length.
>
> An unauthenticated peer can send a truncated trailing ASCONF chunk that
> declares an IPv6 address parameter but stops after the 4-byte parameter
> header; reached from the no-association lookup path, from_addr_param() then
> reads uninitialized bytes past the parameter.
>
> Impact: an unauthenticated SCTP peer makes the receive path read up to 16
> bytes of uninitialized memory past a truncated ASCONF address parameter.
>
> The sibling __sctp_rcv_init_lookup() bounds parameters with
> sctp_walk_params(); this path open-codes the fetch and omits the bound.
> Verify the whole address parameter lies within the chunk before
> from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
> ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
>
> Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
> v3:
> - Simplify to a single bounds check that the whole address parameter
>   fits in the chunk, written as an addition to avoid unsigned wrap
>   (David Laight); drop the redundant lower-bound test and the
>   param_space/plen locals (Xin Long).
> v2:
> - Regenerate from net/main so the patch has index lines and applies
>   cleanly (Xin Long).
> - Use unsigned int for the decoded length and compare it against the
>   remaining parameter space after the ADDIP header (David Laight).
> v2: https://lore.kernel.org/all/20260606183821.1688525-1-michael.bommarito@gmail.com/
> v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/
>
>  net/sctp/input.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/input.c b/net/sctp/input.c
> index e119e460ccde0..864741fae4187 100644
> --- a/net/sctp/input.c
> +++ b/net/sctp/input.c
> @@ -1204,6 +1204,14 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
>         /* Skip over the ADDIP header and find the Address parameter */
>         param = (union sctp_addr_param *)(asconf + 1);
>
> +       /* The whole address parameter must lie within the chunk before
> +        * af->from_addr_param() reads the variable-length address; otherwise a
> +        * truncated trailing ASCONF chunk lets it read uninitialized bytes past
> +        * the parameter.
> +        */
> +       if (sizeof(*asconf) + ntohs(param->p.length) > ntohs(ch->length))
> +               return NULL;
> +
>         af = sctp_get_af_specific(param_type2af(param->p.type));
>         if (unlikely(!af))
>                 return NULL;
>
> base-commit: 9988931df99cf5d68af360e1f23b9c674a0b1b4f
> --
> 2.53.0
>

Acked-by: Xin Long <lucien.xin@gmail.com>

Note in:
https://sashiko.dev/#/patchset/20260608122234.459098-1-michael.bommarito%40gmail.com

The pre-existing issue reported looks real to me, I may address it in
sctp_verify_asconf() and sctp_verify_init() in a separate patch.

Thanks.

Re: [PATCH net v3] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon,  8 Jun 2026 08:22:34 -0400 you wrote:
> __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> chunk can hold the ADDIP header and a parameter header, then calls
> af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> trusting the parameter's declared length.
> 
> An unauthenticated peer can send a truncated trailing ASCONF chunk that
> declares an IPv6 address parameter but stops after the 4-byte parameter
> header; reached from the no-association lookup path, from_addr_param() then
> reads uninitialized bytes past the parameter.
> 
> [...]

Here is the summary with links:
  - [net,v3] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
    https://git.kernel.org/netdev/net/c/f8373d7090b7

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html