Fix SCTP diag locking issues

[PATCH net v3 2/3] sctp: Prevent TOCTOU out-of-bounds write

Posted by Stefan Wiehler 3 months, 1 week ago

For the following path not holding the sock lock,

  sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()

make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).

Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
---
 net/sctp/diag.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index 1a8761f87bf1..5d64dd99ca9a 100644
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
 		memcpy(info, &laddr->a, sizeof(laddr->a));
 		memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
 		info += addrlen;
+
+		if (!--addrcnt)
+			break;
 	}
 	rcu_read_unlock();
 
-- 
2.51.0

Re: [PATCH net v3 2/3] sctp: Prevent TOCTOU out-of-bounds write

Posted by Kuniyuki Iwashima 3 months, 1 week ago

On Tue, Oct 28, 2025 at 9:15 AM Stefan Wiehler <stefan.wiehler@nokia.com> wrote:
>
> For the following path not holding the sock lock,
>
>   sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
>
> make sure not to exceed bounds in case the address list has grown
> between buffer allocation (time-of-check) and write (time-of-use).
>
> Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

[PATCH net v3 1/3] sctp: Hold RCU read lock while iterating over address list
[PATCH net v3 2/3] sctp: Prevent TOCTOU out-of-bounds write
[PATCH net v3 3/3] sctp: Hold sock lock while iterating over address list