From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:54358 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754073AbdGCLyI (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 3 Jul 2017 07:54:08 -0400
Subject: Patch "sctp: check af before verify address in sctp_addr_id2transport" has been added to the 4.9-stable tree
To: lucien.xin@gmail.com, alexander.levin@verizon.com,
        davem@davemloft.net, gregkh@linuxfoundation.org,
        marcelo.leitner@gmail.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Mon, 03 Jul 2017 13:54:06 +0200
Message-ID: <1499082846176232@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    sctp: check af before verify address in sctp_addr_id2transport

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Mon Jul  3 13:37:32 CEST 2017
From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 7 Feb 2017 20:56:08 +0800
Subject: sctp: check af before verify address in sctp_addr_id2transport

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit 912964eacb111551db73429719eb5fadcab0ff8a ]

Commit 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the
addr before looking up assoc") invoked sctp_verify_addr to verify the
addr.

But it didn't check af variable beforehand, once users pass an address
with family = 0 through sockopt, sctp_get_af_specific will return NULL
and NULL pointer dereference will be caused by af->sockaddr_len.

This patch is to fix it by returning NULL if af variable is NULL.

Fixes: 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the addr before looking up assoc")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -239,7 +239,7 @@ static struct sctp_transport *sctp_addr_
 	union sctp_addr *laddr = (union sctp_addr *)addr;
 	struct sctp_transport *transport;
 
-	if (sctp_verify_addr(sk, laddr, af->sockaddr_len))
+	if (!af || sctp_verify_addr(sk, laddr, af->sockaddr_len))
 		return NULL;
 
 	addr_asoc = sctp_endpoint_lookup_assoc(sctp_sk(sk)->ep,


Patches currently in stable-queue which might be from lucien.xin@gmail.com are

queue-4.9/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch
queue-4.9/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch
queue-4.9/sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch
queue-4.9/sctp-return-next-obj-by-passing-pos-1-into-sctp_transport_get_idx.patch
queue-4.9/sctp-disable-bh-in-sctp_for_each_endpoint.patch