Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3960854pxb; Mon, 4 Oct 2021 13:45:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5bbwZiXLmbABjfhBXh37HhdcRTfOLAcMsNE+NhgpoF1zs33xlfokyK/Bvcu5BuW1D9MRG X-Received: by 2002:a17:906:7c4:: with SMTP id m4mr19901505ejc.553.1633380346703; Mon, 04 Oct 2021 13:45:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633380346; cv=none; d=google.com; s=arc-20160816; b=LR9nd0Ru52ZkO0/haEEPzAyOf5cx1tTzR0oKW3W3FOTq3d/1fE1og1SCiDm0HwQzic xdcZ5T0RuS80iodqbIiaM3UssoyG95j5iuR6zpjzPZiTo8+MtZGAwo9KmPboCJjmh8J2 l10FVa8p0zOsWhPUTB+Lq0BnUvllESpMqj3pgF5wqGWuKyH6H0qeRgOcMEv+ogTpsBnf 97GPidjF8g3ByXlwnr6Rm2364f3IqAG0OV2QqHOxfMULHz8JA5De4pShhJp5gfzgaMat 4MYDFE95F8dyJ7anGbaJz0DVb5GCuTLkrP5cyGp1spEF26Jd7bhMUVUJ2ZmFUeObHC1F zQTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dQIdFXikUPm0qkApank586zJb5e3BEpcEl0gNi4QLm0=; b=DdOUGPYmtiuyVr+x6GOeLCTsSxA4GqWL9mRNIbg5JXKJVdie/iezO8Owluiiy02aeW jxphL59KLa7XD/UNmiW87V0SD1UDK255WnuEmgelQdRKXQBUzdPiuxXbATE8QZ2XQxeB SDn1483w2C7JOINhkidLG6xUf65VYQck7o50Ir2MRBdwwog7nmOQ4FvgZB/SutonRMzH sgIeyP8qEcf93Fqc9+vkti87cxqHyLcQysH4IVkQ9/Bofx8Odm9nJgkSwjM98JhA/xBj cBYRNIGpdUFVs8qocd7pya8sYqSSOXoeKL2vKnvW+mkBrB3h5Zfn//2EdwUNRyYLINLS SAzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ZLP4/ZyS"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hk24si19439042ejb.480.2021.10.04.13.45.20; Mon, 04 Oct 2021 13:45:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ZLP4/ZyS"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237981AbhJDNjr (ORCPT + 99 others); Mon, 4 Oct 2021 09:39:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:51804 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237016AbhJDNhA (ORCPT ); Mon, 4 Oct 2021 09:37:00 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 69E9560F58; Mon, 4 Oct 2021 13:16:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633353397; bh=45cCvgGivzf2l5zmt69Ocv2iGoXxUhV0NtkkOOfpBXg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZLP4/ZyS9qKbJ0Q1eGLp7OkFwkMFM8Thi7bkmcXmhiijK2FaY3xSk5NlpjzkGhh6K xzO0/2QxD9IZh8YEppQLWUaND3so8OXigzFMpVueQEeUpQ8sMRG75fgmG3mA1YLt5K OAY/w98W+BV9Z4BwCpUDX+GEBR8KLjqu4Z96Wjvc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com, Xin Long , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 5.14 095/172] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Date: Mon, 4 Oct 2021 14:52:25 +0200 Message-Id: <20211004125048.057271586@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211004125044.945314266@linuxfoundation.org> References: <20211004125044.945314266@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ] We should always check if skb_header_pointer's return is NULL before using it, otherwise it may cause null-ptr-deref, as syzbot reported: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 Call Trace: sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109 ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422 ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297 Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize") Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sctp/input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/input.c b/net/sctp/input.c index 5ef86fdb1176..1f1786021d9c 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb) ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch); /* Break out if chunk length is less then minimal. */ - if (ntohs(ch->length) < sizeof(_ch)) + if (!ch || ntohs(ch->length) < sizeof(_ch)) break; ch_end = offset + SCTP_PAD4(ntohs(ch->length)); -- 2.33.0