net/sctp/input.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.
An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.
Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.
The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
v2:
- Regenerate from net/main so the patch has index lines and applies
cleanly (Xin Long).
- Use unsigned int for the decoded length and compare it against the
remaining parameter space after the ADDIP header (David Laight).
v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/
net/sctp/input.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index e119e460ccde0..c63d42500aa28 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
struct sctp_af *af;
union sctp_addr_param *param;
union sctp_addr paddr;
+ unsigned int param_space;
+ unsigned int plen;
if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
return NULL;
+ param_space = ntohs(ch->length) - sizeof(*asconf);
+
/* Skip over the ADDIP header and find the Address parameter */
param = (union sctp_addr_param *)(asconf + 1);
+ /* The whole address parameter must lie within the chunk before
+ * af->from_addr_param() reads the variable-length address; otherwise a
+ * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+ * the parameter.
+ */
+ plen = ntohs(param->p.length);
+ if (plen < sizeof(struct sctp_paramhdr) || plen > param_space)
+ return NULL;
+
af = sctp_get_af_specific(param_type2af(param->p.type));
if (unlikely(!af))
return NULL;
--
2.53.0On Sat, Jun 6, 2026 at 2:39 PM Michael Bommarito
<michael.bommarito@gmail.com> wrote:
>
> __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
> chunk can hold the ADDIP header and a parameter header, then calls
> af->from_addr_param(), which reads the full address (16 bytes for IPv6)
> trusting the parameter's declared length.
>
> An unauthenticated peer can send a truncated trailing ASCONF chunk that
> declares an IPv6 address parameter but stops after the 4-byte parameter
> header; reached from the no-association lookup path, from_addr_param() then
> reads uninitialized bytes past the parameter.
>
> Impact: an unauthenticated SCTP peer makes the receive path read up to 16
> bytes of uninitialized memory past a truncated ASCONF address parameter.
>
> The sibling __sctp_rcv_init_lookup() bounds parameters with
> sctp_walk_params(); this path open-codes the fetch and omits the bound.
> Verify the whole address parameter lies within the chunk before
> from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
> ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
>
> Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
> v2:
> - Regenerate from net/main so the patch has index lines and applies
> cleanly (Xin Long).
> - Use unsigned int for the decoded length and compare it against the
> remaining parameter space after the ADDIP header (David Laight).
> v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/
>
> net/sctp/input.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/net/sctp/input.c b/net/sctp/input.c
> index e119e460ccde0..c63d42500aa28 100644
> --- a/net/sctp/input.c
> +++ b/net/sctp/input.c
> @@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
> struct sctp_af *af;
> union sctp_addr_param *param;
> union sctp_addr paddr;
> + unsigned int param_space;
> + unsigned int plen;
>
> if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
> return NULL;
>
> + param_space = ntohs(ch->length) - sizeof(*asconf);
> +
> /* Skip over the ADDIP header and find the Address parameter */
> param = (union sctp_addr_param *)(asconf + 1);
>
> + /* The whole address parameter must lie within the chunk before
> + * af->from_addr_param() reads the variable-length address; otherwise a
> + * truncated trailing ASCONF chunk lets it read uninitialized bytes past
> + * the parameter.
> + */
> + plen = ntohs(param->p.length);
> + if (plen < sizeof(struct sctp_paramhdr) || plen > param_space)
> + return NULL;
> +
I think we don't really need to check plen < sizeof(struct sctp_paramhdr).
This check is to ensure param->p.length can be safely accessed, but it's
already guaranteed by the early check:
if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
I think you can just simplify your patch to:
if (ntohs(param->p.length) > ntohs(ch->length) - sizeof(*asconf))
return NULL;
Also note ntohs(param->p.length) < sizeof(struct sctp_paramhdr) will be
caught by af->from_addr_param(sctp_v4/v6_from_addr_param) and return NULL.
Thanks.
> af = sctp_get_af_specific(param_type2af(param->p.type));
> if (unlikely(!af))
> return NULL;
> --
> 2.53.0
© 2016 - 2026 Red Hat, Inc.