From: David Laight <david.laight.linux@gmail.com>
To: Michael Bommarito <michael.bommarito@gmail.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Xin Long <lucien.xin@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Vlad Yasevich <vladislav.yasevich@hp.com>,
linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
Date: Fri, 5 Jun 2026 09:52:28 +0100 [thread overview]
Message-ID: <20260605095228.75430455@pumpkin> (raw)
In-Reply-To: <20260604175803.2142975-1-michael.bommarito@gmail.com>
On Thu, 4 Jun 2026 13:58:03 -0400
Michael Bommarito <michael.bommarito@gmail.com> wrote:
> __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> chunk can hold the ADDIP header and a parameter header, then calls
> af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> trusting the parameter's declared length.
>
> An unauthenticated peer can send a truncated trailing ASCONF chunk that
> declares an IPv6 address parameter but stops after the 4-byte parameter
> header; reached from the no-association lookup path, from_addr_param() then
> reads uninitialized bytes past the parameter.
>
> Impact: an unauthenticated SCTP peer makes the receive path read up to 16
> bytes of uninitialized memory past a truncated ASCONF address parameter.
>
> The sibling __sctp_rcv_init_lookup() bounds parameters with
> sctp_walk_params(); this path open-codes the fetch and omits the bound.
> Verify the whole address parameter lies within the chunk before
> from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
> ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
>
> Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
> net/sctp/input.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/net/sctp/input.c b/net/sctp/input.c
> --- a/net/sctp/input.c
> +++ b/net/sctp/input.c
> @@ -1196,6 +1196,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
> struct sctp_addip_chunk *asconf = (struct sctp_addip_chunk *)ch;
> struct sctp_af *af;
> union sctp_addr_param *param;
> union sctp_addr paddr;
> + __u16 plen;
Just use 'unsigned int'.
>
> if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
> return NULL;
It might be more obvious to check the 'free space' from the test above, say:
int param_space = ntohs(ch->length);
param_space -= sizeof(*asconf) + sizeof(struct sctp_paramhdr);
if (param_space < 0)
return NULL;
param = (union sctp_addr_param *)(asconf + 1);
if (ntohs(param->p.length) > param_space)
return NULL;
-- David
> @@ -1204,6 +1205,16 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
> /* Skip over the ADDIP header and find the Address parameter */
> param = (union sctp_addr_param *)(asconf + 1);
>
> + /* The whole address parameter must lie within the chunk before
> + * af->from_addr_param() reads the variable-length address; otherwise a
> + * truncated trailing ASCONF chunk lets it read uninitialized bytes past
> + * the parameter. Mirror the bound sctp_walk_params() applies on the
> + * INIT path.
> + */
> + plen = ntohs(param->p.length);
> + if (plen < sizeof(struct sctp_paramhdr) ||
> + (u8 *)param + plen > (u8 *)ch + ntohs(ch->length))
> + return NULL;
> +
> af = sctp_get_af_specific(param_type2af(param->p.type));
> if (unlikely(!af))
> return NULL;
>
next prev parent reply other threads:[~2026-06-05 8:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 17:58 [PATCH net] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Michael Bommarito
2026-06-05 8:52 ` David Laight [this message]
2026-06-05 15:44 ` Xin Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605095228.75430455@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=michael.bommarito@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vladislav.yasevich@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox