2023-05-10 09:26:43

by Gavrilov Ilia

[permalink] [raw]
Subject: [PATCH net-next v4] sctp: fix a potential OOB access in sctp_sched_set_sched()

From: "Ilia.Gavrilov" <[email protected]>

The 'sched' index value must be checked before accessing an element
of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.

Note that it's harmless since the 'sched' parameter is checked before
calling 'sctp_sched_set_sched'.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Acked-by: Marcelo Ricardo Leitner <[email protected]>
Reviewed-by: Xin Long <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: Ilia.Gavrilov <[email protected]>
---
V4:
- revert to V2
- repost according to
https://lore.kernel.org/all/[email protected]/
V3:
- Change description
- Remove 'fixes'
V2:
- Change the order of local variables
- Specify the target tree in the subject
net/sctp/stream_sched.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
index 330067002deb..4d076a9b8592 100644
--- a/net/sctp/stream_sched.c
+++ b/net/sctp/stream_sched.c
@@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
int sctp_sched_set_sched(struct sctp_association *asoc,
enum sctp_sched_type sched)
{
- struct sctp_sched_ops *n = sctp_sched_ops[sched];
struct sctp_sched_ops *old = asoc->outqueue.sched;
struct sctp_datamsg *msg = NULL;
+ struct sctp_sched_ops *n;
struct sctp_chunk *ch;
int i, ret = 0;

- if (old == n)
- return ret;
-
if (sched > SCTP_SS_MAX)
return -EINVAL;

+ n = sctp_sched_ops[sched];
+ if (old == n)
+ return ret;
+
if (old)
sctp_sched_free_sched(&asoc->stream);

--
2.30.2


2023-05-10 11:27:15

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH net-next v4] sctp: fix a potential OOB access in sctp_sched_set_sched()

Hello:

This patch was applied to netdev/net-next.git (main)
by David S. Miller <[email protected]>:

On Wed, 10 May 2023 09:23:40 +0000 you wrote:
> From: "Ilia.Gavrilov" <[email protected]>
>
> The 'sched' index value must be checked before accessing an element
> of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.
>
> Note that it's harmless since the 'sched' parameter is checked before
> calling 'sctp_sched_set_sched'.
>
> [...]

Here is the summary with links:
- [net-next,v4] sctp: fix a potential OOB access in sctp_sched_set_sched()
https://git.kernel.org/netdev/net-next/c/059fa492027e

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html