1. Patchew
  2. linux
  3. View series

[PATCH] sctp: fix null deref in sctp_sf_do_5_1D_ce()

Alexey Simakov posted 1 patch 1 week, 2 days ago 
net/sctp/sm_statefuns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] sctp: fix null deref in sctp_sf_do_5_1D_ce()
Posted by Alexey Simakov 1 week, 2 days ago 
The check of new_asoc->peer.adaptation_ind can fail,
leaving ai_ev uninitialized. In that case, the code
can jump to the nomem_authdev label and later call
sctp_ulpevent_free() with a null ai_ev pointer.
Leading to a potential null dereference.

Add check of ai_ev pointer before call of
sctp_ulpevent_free function.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT")
Signed-off-by: Alexey Simakov <a.simakov@securitycode.ru>
---
 net/sctp/sm_statefuns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a0524ba8d787..93cac73472c7 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -885,7 +885,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 	return SCTP_DISPOSITION_CONSUME;
 
 nomem_authev:
-	sctp_ulpevent_free(ai_ev);
+	if (ai_ev)
+		sctp_ulpevent_free(ai_ev);
 nomem_aiev:
 	sctp_ulpevent_free(ev);
 nomem_ev:
-- 
2.34.1
Re: [PATCH] sctp: fix null deref in sctp_sf_do_5_1D_ce()
Posted by Xin Long 1 week, 2 days ago 
On Mon, Sep 22, 2025 at 12:17 PM Alexey Simakov
<a.simakov@securitycode.ru> wrote:
>
> The check of new_asoc->peer.adaptation_ind can fail,
> leaving ai_ev uninitialized. In that case, the code
> can jump to the nomem_authdev label and later call
> sctp_ulpevent_free() with a null ai_ev pointer.
> Leading to a potential null dereference.
>
> Add check of ai_ev pointer before call of
> sctp_ulpevent_free function.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT")
> Signed-off-by: Alexey Simakov <a.simakov@securitycode.ru>
> ---
>  net/sctp/sm_statefuns.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index a0524ba8d787..93cac73472c7 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -885,7 +885,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
>         return SCTP_DISPOSITION_CONSUME;
>
>  nomem_authev:
> -       sctp_ulpevent_free(ai_ev);
> +       if (ai_ev)
> +               sctp_ulpevent_free(ai_ev);
The patch can not be applied. It seems these 3 lines start with spaces?
You may run ./scripts/checkpatch.pl against it.

Thanks.

>  nomem_aiev:
>         sctp_ulpevent_free(ev);
>  nomem_ev:
> --
> 2.34.1
>
> Заявление о конфиденциальности
>
> Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.