kevin/linux
1
Fork 0
Code
be31ec5c8e
linux/net
History
Xin Long 0ead60804b sctp: properly validate chunk size in sctp_sf_ootb() 
A size validation fix similar to that in Commit 50619dbf8d ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:

  BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
  sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
  sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
  sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
  sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
  ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233

Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-11-03 11:03:23 -08:00
..
6lowpan
9p 9p: fix slab cache name creation for real 2024-10-21 15:41:29 -07:00
802 move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
8021q
appletalk
atm
ax25
batman-adv move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
bluetooth Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs 2024-10-30 14:49:09 -04:00
bpf bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled 2024-10-31 16:15:21 +01:00
bridge bridge: Handle error of rtnl_register_module(). 2024-10-10 15:39:35 +02:00
caif move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
ceph
core BPF fixes: 2024-10-31 14:56:19 -10:00
dcb
dccp move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
devlink
dns_resolver
dsa net: dsa: refuse cross-chip mirroring operations 2024-10-09 19:41:35 -07:00
ethernet
ethtool net: ethtool: phy: Don't set the context dev pointer for unfiltered DUMP 2024-09-13 21:40:12 -07:00
handshake
hsr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-12 17:11:24 -07:00
ieee802154
ife
ipv4 BPF fixes: 2024-10-31 14:56:19 -10:00
ipv6 netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() 2024-10-30 13:17:36 +01:00
iucv
kcm
key
l2tp genetlink: hold RCU in genlmsg_mcast() 2024-10-15 17:52:58 -07:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: ieee80211_i: Fix memory corruption bug in struct ieee80211_chanctx 2024-10-26 00:42:49 +02:00
mac802154 Including fixes from ieee802154, bluetooth and netfilter. 2024-10-03 09:44:00 -07:00
mctp mctp: Handle error of rtnl_register_module(). 2024-10-10 15:39:35 +02:00
mpls mpls: Handle error of rtnl_register_module(). 2024-10-10 15:39:35 +02:00
mptcp mptcp: init: protect sched with rcu_read_lock 2024-10-28 15:50:54 -07:00
ncsi net/ncsi: Disable the ncsi work before freeing the associated structure 2024-10-03 10:14:14 +02:00
netfilter netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 2024-10-31 10:54:49 +01:00
netlabel
netlink genetlink: hold RCU in genlmsg_mcast() 2024-10-15 17:52:58 -07:00
netrom
nfc
nsh
openvswitch
packet net: add support for skbs with unreadable frags 2024-09-11 20:44:31 -07:00
phonet phonet: Handle error of rtnl_register_module(). 2024-10-10 15:39:36 +02:00
psample
qrtr net: qrtr: Update packets cloning when broadcasting 2024-09-24 10:48:16 +02:00
rds
rfkill [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
rose
rxrpc rxrpc: Fix uninitialised variable in rxrpc_send_data() 2024-10-03 16:23:21 -07:00
sched net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext() 2024-10-29 11:45:23 -07:00
sctp sctp: properly validate chunk size in sctp_sf_ootb() 2024-11-03 11:03:23 -08:00
smc net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid 2024-10-15 10:56:31 -07:00
strparser
sunrpc NFS Client Bugfixes for Linux 6.12-rc 2024-10-11 15:37:15 -07:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
tls move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
unix af_unix: Don't return OOB skb in manage_oob(). 2024-09-09 17:14:27 -07:00
vmw_vsock BPF fixes: 2024-10-18 16:27:14 -07:00
wireless wifi: cfg80211: clear wdev->cqm_config pointer on free 2024-10-25 17:53:40 +02:00
x25
xdp bpf-next-6.12 2024-09-21 09:27:50 -07:00
xfrm ipsec-2024-10-22 2024-10-24 11:11:33 +02:00
compat.c
devres.c
Kconfig memory-provider: disable building dmabuf mp on !CONFIG_PAGE_POOL 2024-09-13 11:41:45 -07:00
Kconfig.debug
Makefile
socket.c net: explicitly clear the sk pointer, when pf->create fails 2024-10-07 16:21:59 -07:00
sysctl_net.c