[PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf

Netdev List
 help / color / mirror / Atom feed

* [PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
@ 2026-06-06 18:38 Michael Bommarito
  2026-06-07 23:42 ` Xin Long
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Bommarito @ 2026-06-06 18:38 UTC (permalink / raw)
  To: Marcelo Ricardo Leitner, Xin Long
  Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Vlad Yasevich, linux-sctp, netdev, linux-kernel

__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.

An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.

Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.

The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
v2:
- Regenerate from net/main so the patch has index lines and applies
  cleanly (Xin Long).
- Use unsigned int for the decoded length and compare it against the
  remaining parameter space after the ADDIP header (David Laight).
v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/

 net/sctp/input.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index e119e460ccde0..c63d42500aa28 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
 	struct sctp_af *af;
 	union sctp_addr_param *param;
 	union sctp_addr paddr;
+	unsigned int param_space;
+	unsigned int plen;

 	if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
 		return NULL;

+	param_space = ntohs(ch->length) - sizeof(*asconf);
+
 	/* Skip over the ADDIP header and find the Address parameter */
 	param = (union sctp_addr_param *)(asconf + 1);

+	/* The whole address parameter must lie within the chunk before
+	 * af->from_addr_param() reads the variable-length address; otherwise a
+	 * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+	 * the parameter.
+	 */
+	plen = ntohs(param->p.length);
+	if (plen < sizeof(struct sctp_paramhdr) || plen > param_space)
+		return NULL;
+
 	af = sctp_get_af_specific(param_type2af(param->p.type));
 	if (unlikely(!af))
 		return NULL;
-- 
2.53.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
  2026-06-06 18:38 [PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Michael Bommarito
@ 2026-06-07 23:42 ` Xin Long
  2026-06-08  8:42   ` David Laight
  0 siblings, 1 reply; 3+ messages in thread
From: Xin Long @ 2026-06-07 23:42 UTC (permalink / raw)
  To: Michael Bommarito
  Cc: Marcelo Ricardo Leitner, David S . Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, Vlad Yasevich,
	linux-sctp, netdev, linux-kernel

On Sat, Jun 6, 2026 at 2:39 PM Michael Bommarito
<michael.bommarito@gmail.com> wrote:
>
> __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> chunk can hold the ADDIP header and a parameter header, then calls
> af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> trusting the parameter's declared length.
>
> An unauthenticated peer can send a truncated trailing ASCONF chunk that
> declares an IPv6 address parameter but stops after the 4-byte parameter
> header; reached from the no-association lookup path, from_addr_param() then
> reads uninitialized bytes past the parameter.
>
> Impact: an unauthenticated SCTP peer makes the receive path read up to 16
> bytes of uninitialized memory past a truncated ASCONF address parameter.
>
> The sibling __sctp_rcv_init_lookup() bounds parameters with
> sctp_walk_params(); this path open-codes the fetch and omits the bound.
> Verify the whole address parameter lies within the chunk before
> from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
> ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
>
> Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
> v2:
> - Regenerate from net/main so the patch has index lines and applies
>   cleanly (Xin Long).
> - Use unsigned int for the decoded length and compare it against the
>   remaining parameter space after the ADDIP header (David Laight).
> v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/
>
>  net/sctp/input.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>
> diff --git a/net/sctp/input.c b/net/sctp/input.c
> index e119e460ccde0..c63d42500aa28 100644
> --- a/net/sctp/input.c
> +++ b/net/sctp/input.c
> @@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
>         struct sctp_af *af;
>         union sctp_addr_param *param;
>         union sctp_addr paddr;
> +       unsigned int param_space;
> +       unsigned int plen;
>
>         if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
>                 return NULL;
>
> +       param_space = ntohs(ch->length) - sizeof(*asconf);
> +
>         /* Skip over the ADDIP header and find the Address parameter */
>         param = (union sctp_addr_param *)(asconf + 1);
>
> +       /* The whole address parameter must lie within the chunk before
> +        * af->from_addr_param() reads the variable-length address; otherwise a
> +        * truncated trailing ASCONF chunk lets it read uninitialized bytes past
> +        * the parameter.
> +        */
> +       plen = ntohs(param->p.length);
> +       if (plen < sizeof(struct sctp_paramhdr) || plen > param_space)
> +               return NULL;
> +
I think we don't really need to check plen < sizeof(struct sctp_paramhdr).
This check is to ensure param->p.length can be safely accessed, but it's
already guaranteed by the early check:

if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))

I think you can just simplify your patch to:

if (ntohs(param->p.length) > ntohs(ch->length) - sizeof(*asconf))
        return NULL;

Also note  ntohs(param->p.length) < sizeof(struct sctp_paramhdr) will be
caught by af->from_addr_param(sctp_v4/v6_from_addr_param) and return NULL.

Thanks.

>         af = sctp_get_af_specific(param_type2af(param->p.type));
>         if (unlikely(!af))
>                 return NULL;
> --
> 2.53.0

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
  2026-06-07 23:42 ` Xin Long
@ 2026-06-08  8:42   ` David Laight
  0 siblings, 0 replies; 3+ messages in thread
From: David Laight @ 2026-06-08  8:42 UTC (permalink / raw)
  To: Xin Long
  Cc: Michael Bommarito, Marcelo Ricardo Leitner, David S . Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Vlad Yasevich, linux-sctp, netdev, linux-kernel

On Sun, 7 Jun 2026 19:42:25 -0400
Xin Long <lucien.xin@gmail.com> wrote:

> On Sat, Jun 6, 2026 at 2:39 PM Michael Bommarito
> <michael.bommarito@gmail.com> wrote:
> >
> > __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> > chunk can hold the ADDIP header and a parameter header, then calls
> > af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> > trusting the parameter's declared length.
> >
> > An unauthenticated peer can send a truncated trailing ASCONF chunk that
> > declares an IPv6 address parameter but stops after the 4-byte parameter
> > header; reached from the no-association lookup path, from_addr_param() then
> > reads uninitialized bytes past the parameter.
> >
> > Impact: an unauthenticated SCTP peer makes the receive path read up to 16
> > bytes of uninitialized memory past a truncated ASCONF address parameter.
> >
> > The sibling __sctp_rcv_init_lookup() bounds parameters with
> > sctp_walk_params(); this path open-codes the fetch and omits the bound.
> > Verify the whole address parameter lies within the chunk before
> > from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
> > ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
> >
> > Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
> > Assisted-by: Claude:claude-opus-4-8
> > Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> > ---
> > v2:
> > - Regenerate from net/main so the patch has index lines and applies
> >   cleanly (Xin Long).
> > - Use unsigned int for the decoded length and compare it against the
> >   remaining parameter space after the ADDIP header (David Laight).
> > v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/
> >
> >  net/sctp/input.c | 13 +++++++++++++
> >  1 file changed, 13 insertions(+)
> >
> > diff --git a/net/sctp/input.c b/net/sctp/input.c
> > index e119e460ccde0..c63d42500aa28 100644
> > --- a/net/sctp/input.c
> > +++ b/net/sctp/input.c
> > @@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
> >         struct sctp_af *af;
> >         union sctp_addr_param *param;
> >         union sctp_addr paddr;
> > +       unsigned int param_space;
> > +       unsigned int plen;
> >
> >         if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
> >                 return NULL;
> >
> > +       param_space = ntohs(ch->length) - sizeof(*asconf);
> > +
> >         /* Skip over the ADDIP header and find the Address parameter */
> >         param = (union sctp_addr_param *)(asconf + 1);
> >
> > +       /* The whole address parameter must lie within the chunk before
> > +        * af->from_addr_param() reads the variable-length address; otherwise a
> > +        * truncated trailing ASCONF chunk lets it read uninitialized bytes past
> > +        * the parameter.
> > +        */
> > +       plen = ntohs(param->p.length);
> > +       if (plen < sizeof(struct sctp_paramhdr) || plen > param_space)
> > +               return NULL;
> > +  
> I think we don't really need to check plen < sizeof(struct sctp_paramhdr).
> This check is to ensure param->p.length can be safely accessed, but it's
> already guaranteed by the early check:
> 
> if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
> 
> I think you can just simplify your patch to:
> 
> if (ntohs(param->p.length) > ntohs(ch->length) - sizeof(*asconf))
>         return NULL;

To stop having to think about the values wrapping, how about swapping to:
	if (sizeof(*asconf) + ntohs(param->p.length) > ntohs(ch->length))
		return NULL;
so that it is 100% clear they don't.
Even if the earlier test is missing/incorrect that will only read
invalid data and then return NULL.

-- David

> 
> Also note  ntohs(param->p.length) < sizeof(struct sctp_paramhdr) will be
> caught by af->from_addr_param(sctp_v4/v6_from_addr_param) and return NULL.
> 
> Thanks.
> 
> >         af = sctp_get_af_specific(param_type2af(param->p.type));
> >         if (unlikely(!af))
> >                 return NULL;
> > --
> > 2.53.0  
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-08  8:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-06 18:38 [PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Michael Bommarito
2026-06-07 23:42 ` Xin Long
2026-06-08  8:42   ` David Laight

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox