From nobody Mon Jun 8 05:25:47 2026 Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1CE383B7B84 for ; Sat, 6 Jun 2026 18:39:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780771178; cv=none; b=dyYzpJZC9pufRXUgEVsrnUR2/nV8v5i/Ki0M0H5+Lxl0MMCI+k5Amo8/Dso49rM9ZLdHp1Ycg8hOcZtrj/sXDUc90cm3tvEnzZ8RlxXsZ5KX68nm6/hnEs7x/DmmimQXdJN+Tt5R15JVAaVmiCVvQ2Lt4NWgs6vR5ByRGg1cNhQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780771178; c=relaxed/simple; bh=hoInznijmXNcAlLWUOC8ZbwHn/36szbur3eTTIq96ao=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VvUDr3Rce88Ss/QTVa1jKe0JcowyeMLh1wnXDZEe5LR8oqHvb2R4/783X697TL7UkhuYxz6+96QCvy6r+YVOg1YPBCeg00YMz1mXACvp2eVSXT06+Lsuxj6Isy4GoVvO8bvEWHyEiwoRcy39ZMhEClhFRaRHC4tdpZxUwkl7KZE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gsJClNQf; arc=none smtp.client-ip=209.85.222.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gsJClNQf" Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-9159f631656so351523185a.1 for ; Sat, 06 Jun 2026 11:39:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780771165; x=1781375965; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=BtPhLti09zjexvIxGQdE7OP+nneYPm4H1afCVbrLWGo=; b=gsJClNQfbVPdCTWQ8XzPk+xuvph/vNCFedKaThvpTzTlY8q+d78d1YrEavVSGRv+OF 1RQgfuvZ8oUY5q2z8ZdTz84rkWGpWJDs0EbSrjwwJoHDBbIqxRTT20BU12QzLV9c1GkF snch88O4yHo9Au0yMZfUvpd6Zku3WEiY72DR0um+ixIF1yl7rVbEP6UA535JzU3TGvbG 79WoVyMHU6WihQJaRJCEFQRSdfs1ohKEseUvA4EMXH6LmADavdmazTRs/5/RrY1FLGkU ygNGRZ6GKZMe9vhhYJvKFvWzuG+n1n5HQVIphghy5c2WOaSVlrWKJWSc/5MhuIcejFP4 OT0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780771165; x=1781375965; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BtPhLti09zjexvIxGQdE7OP+nneYPm4H1afCVbrLWGo=; b=AN9c5D39ocgJS7HeRpMTEVASxIRo9QxIhOjb0yLz5I3ynTsv+HXnM57dB8sN63rSh/ IN+VTpsRsicszaFOsHcnKCPqdVwe4bEBRPT/AiG3B95m0JfP78GtMZEVeMl4jGBp9O8X WV5TqkAna+xIss1w7vuuhPIqiB9w081zNw6LkDHyw8sNYSv2P/0K0vqFvl4uWXTfY8ZX Ol4UlbK0+IxpRH676Gm9EPWqW1Iy9I1wnA5ZoGBf6Bhn3dVTMp1D+8OZsEsfBJUPwqik vMV9Kzd37YoTw01qT3T306hU+Z/0n/gkcV2LKKZTJA8PXedaGkbS+6sl3Yk96KBpyB29 cNQQ== X-Forwarded-Encrypted: i=1; AFNElJ/s3e4UazA+ytXpnZv0uH2FW+kq6iua4Xs4/1mY8Wxirx9mJ1kt5Zt48jycggLYm72bjx4eaz991DTFZLY=@vger.kernel.org X-Gm-Message-State: AOJu0Yzk/720GUwiDq6QEPIVn/vWUlHVa5nwAIcLm+AovLAcHYYtFko2 eV9fmLsEBTLlJqa831jd5vPSr0W5DYk2Mrlp6UFRXMqJNSB5GDU9DihVjrlC/Sg6U3U= X-Gm-Gg: Acq92OHf49kklXcX59tOPqe9GPImDIF68RG+9+6KZU1T82Cr0MF0ozryywhP6+1iRZI QhcXJRqB4PW0cimDSNFS9gQBYoPWVQ+7J/XHXp7R5xqL7vDlBTz6uObPf1AS4IE5OAhx4VhemVM 4fnrlMsH17mUUFXpm8xSSjDldy5R872Bsu/kWblrLui12aB3mkKdQ74KbgCspnJUt8ToHv7W6zl zrtl+FQEa3xW4OmH33pOZ/5TGzntt+qxjLXrrFATkFL/Ogw0zX9g7dj9sd3Gby0apbHOOjPl06m C9BLODVz3l7O6f0y976xapz30leCFb4ZYCtzbtlqb0Dix7OadCkdszLxPOmutVq+Mk/751dkIv8 0LAf7M4bg4Q9T6RWsi1IwOIa7cu3DgXAqSXoA5kUO9jAa3187TjkoL+vnTq60Yn/5iawb7CTZvN FYZdGKj1ZxM2eZoa7bm+M+F4CRzSwmtYf2MOYJL6fxV5HaL6dQJBSYkhW+ASZB7OFUr84lIZ/vE aogNaY4RxXEQSBgRhnZm1RF2IafH1k= X-Received: by 2002:a05:620a:44cf:b0:915:92f3:54e2 with SMTP id af79cd13be357-915ad0a9f9emr1008248685a.6.1780771164573; Sat, 06 Jun 2026 11:39:24 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-9158a3d2384sm1223549985a.39.2026.06.06.11.39.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Jun 2026 11:39:23 -0700 (PDT) From: Michael Bommarito To: Marcelo Ricardo Leitner , Xin Long Cc: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Vlad Yasevich , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net v2] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Date: Sat, 6 Jun 2026 14:38:21 -0400 Message-ID: <20260606183821.1688525-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop"). Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF c= hunks as well") Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito --- v2: - Regenerate from net/main so the patch has index lines and applies cleanly (Xin Long). - Use unsigned int for the decoded length and compare it against the remaining parameter space after the ADDIP header (David Laight). v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@= gmail.com/ net/sctp/input.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/sctp/input.c b/net/sctp/input.c index e119e460ccde0..c63d42500aa28 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_l= ookup( struct sctp_af *af; union sctp_addr_param *param; union sctp_addr paddr; + unsigned int param_space; + unsigned int plen; =20 if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr)) return NULL; =20 + param_space =3D ntohs(ch->length) - sizeof(*asconf); + /* Skip over the ADDIP header and find the Address parameter */ param =3D (union sctp_addr_param *)(asconf + 1); =20 + /* The whole address parameter must lie within the chunk before + * af->from_addr_param() reads the variable-length address; otherwise a + * truncated trailing ASCONF chunk lets it read uninitialized bytes past + * the parameter. + */ + plen =3D ntohs(param->p.length); + if (plen < sizeof(struct sctp_paramhdr) || plen > param_space) + return NULL; + af =3D sctp_get_af_specific(param_type2af(param->p.type)); if (unlikely(!af)) return NULL; --=20 2.53.0