[PATCH net] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[PATCH net] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[Michael Bommarito]

__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.

An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.

Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.

The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/sctp/input.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/sctp/input.c b/net/sctp/input.c
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1196,6 +1196,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
 	struct sctp_addip_chunk *asconf = (struct sctp_addip_chunk *)ch;
 	struct sctp_af *af;
 	union sctp_addr_param *param;
 	union sctp_addr paddr;
+	__u16 plen;
 
 	if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
 		return NULL;
@@ -1204,6 +1205,16 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
 	/* Skip over the ADDIP header and find the Address parameter */
 	param = (union sctp_addr_param *)(asconf + 1);
 
+	/* The whole address parameter must lie within the chunk before
+	 * af->from_addr_param() reads the variable-length address; otherwise a
+	 * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+	 * the parameter.  Mirror the bound sctp_walk_params() applies on the
+	 * INIT path.
+	 */
+	plen = ntohs(param->p.length);
+	if (plen < sizeof(struct sctp_paramhdr) ||
+	    (u8 *)param + plen > (u8 *)ch + ntohs(ch->length))
+		return NULL;
+
 	af = sctp_get_af_specific(param_type2af(param->p.type));
 	if (unlikely(!af))
 		return NULL;

Re: [PATCH net] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

[David Laight]

On Thu,  4 Jun 2026 13:58:03 -0400
Michael Bommarito <michael.bommarito@gmail.com> wrote:

> __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> chunk can hold the ADDIP header and a parameter header, then calls
> af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> trusting the parameter's declared length.
> 
> An unauthenticated peer can send a truncated trailing ASCONF chunk that
> declares an IPv6 address parameter but stops after the 4-byte parameter
> header; reached from the no-association lookup path, from_addr_param() then
> reads uninitialized bytes past the parameter.
> 
> Impact: an unauthenticated SCTP peer makes the receive path read up to 16
> bytes of uninitialized memory past a truncated ASCONF address parameter.
> 
> The sibling __sctp_rcv_init_lookup() bounds parameters with
> sctp_walk_params(); this path open-codes the fetch and omits the bound.
> Verify the whole address parameter lies within the chunk before
> from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
> ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
> 
> Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
>  net/sctp/input.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/net/sctp/input.c b/net/sctp/input.c
> --- a/net/sctp/input.c
> +++ b/net/sctp/input.c
> @@ -1196,6 +1196,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
>  	struct sctp_addip_chunk *asconf = (struct sctp_addip_chunk *)ch;
>  	struct sctp_af *af;
>  	union sctp_addr_param *param;
>  	union sctp_addr paddr;
> +	__u16 plen;

Just use 'unsigned int'.

>  
>  	if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
>  		return NULL;

It might be more obvious to check the 'free space' from the test above, say:
	int param_space = ntohs(ch->length);
	param_space -= sizeof(*asconf) + sizeof(struct sctp_paramhdr);
	if (param_space < 0)
		return NULL;

	param = (union sctp_addr_param *)(asconf + 1);
	if (ntohs(param->p.length) > param_space)
		return NULL;

-- David

> @@ -1204,6 +1205,16 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
>  	/* Skip over the ADDIP header and find the Address parameter */
>  	param = (union sctp_addr_param *)(asconf + 1);
>  
> +	/* The whole address parameter must lie within the chunk before
> +	 * af->from_addr_param() reads the variable-length address; otherwise a
> +	 * truncated trailing ASCONF chunk lets it read uninitialized bytes past
> +	 * the parameter.  Mirror the bound sctp_walk_params() applies on the
> +	 * INIT path.
> +	 */
> +	plen = ntohs(param->p.length);
> +	if (plen < sizeof(struct sctp_paramhdr) ||
> +	    (u8 *)param + plen > (u8 *)ch + ntohs(ch->length))
> +		return NULL;
> +
>  	af = sctp_get_af_specific(param_type2af(param->p.type));
>  	if (unlikely(!af))
>  		return NULL;
>