Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4654074pxb; Tue, 2 Nov 2021 13:29:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJziMM2cnGwCGF+a0CP6FgZ69MUBD6Uc7v/35RrIb9lQrpgtwtXR+ZmOmGWyvslElzJoYYGm X-Received: by 2002:a17:906:730c:: with SMTP id di12mr46071041ejc.184.1635884983345; Tue, 02 Nov 2021 13:29:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635884983; cv=none; d=google.com; s=arc-20160816; b=nkaass0IGOLiUevVtAHO/YgtclG1lpZtgS/etZZqF2MzCU/DY72C2mP07FODrHc6JC wFcA5k3wpE+e6UNyhXrE4V+LY3kDimoeROaRBjdD6NJ+dPhV+5kVN6TuGEhfo6T5F83g Ri/qwUNz+G6isR9bP7FQ5JJdfxStg3GmCyiBYszSV2wNW3JEjrARmIvwvyxeDFqICKK7 oq9Ej8N7tuMacrfntKVXSPXV8EzxUdUaWo9QDV2+pYX1Om+b5vXYh9IUrn3vPfedv8k/ mMoT4Cur+s5mX8cj3lkDjWKkrO7u9XSWT53J4d6sa3UG6tT/sztpn6831BoE2SBagY2p 0PJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=uMIYY0yZZyTxlebjEFpH9eZ4rwFSJk0jjimaCHa01k0=; b=0jw94QLho6ajwmrLB0dWDKGEZmKfbUTInwYuWFMHNNsQPPKh+YuU954hPXz7L7itXM /v2GDIWvnxCedXL4wqMTUYSTSXMOpTiTB0MYSHKZx28KDgrXG6XkcVZOkuvMjDNH97Xg qir0KLX0WqQ5lHU2Zwk/M4vD+W3P8gbGpJ6E6k0W5NMo8ffhCqIIV3UwoliJrAvqDHay jj7ZaXiuOkpLxqAv90b92ksJuDS6VmZiPjgAudSwu7WlIpDHoqPZf4MlTg0yrWey9K94 svVKjJJz7l7dJ0rhogHV++kouBQmSEL5v0DVHA03aJ2t0q+Xi/6VdadmFmKs3/ebtZnG SfiA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ay3si93900edb.67.2021.11.02.13.29.19; Tue, 02 Nov 2021 13:29:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231326AbhKBU34 (ORCPT + 99 others); Tue, 2 Nov 2021 16:29:56 -0400 Received: from mail.ispras.ru ([83.149.199.84]:50372 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229813AbhKBU34 (ORCPT ); Tue, 2 Nov 2021 16:29:56 -0400 Received: from hednb3.Dlink (unknown [109.252.87.51]) by mail.ispras.ru (Postfix) with ESMTPSA id C175E40D403D; Tue, 2 Nov 2021 20:27:16 +0000 (UTC) From: Alexey Khoroshilov To: Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , "David S. Miller" Cc: Jakub Kicinski , Xin Long , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org, Alexey Khoroshilov Subject: [PATCH] sctp: avoid NULL pointer dereference in sctp_sf_violation Date: Tue, 2 Nov 2021 23:27:04 +0300 Message-Id: <1635884824-28790-1-git-send-email-khoroshilov@ispras.ru> X-Mailer: git-send-email 2.7.4 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Some callers (e.g. sctp_sf_violation_chunk) passes NULL to asoc argument of sctp_sf_violation. So, it should check it before calling sctp_vtag_verify(). Probably it could be exploited by a malicious SCTP packet to cause NULL pointer dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Alexey Khoroshilov Fixes: aa0f697e4528 ("sctp: add vtag check in sctp_sf_violation") --- net/sctp/sm_statefuns.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index fb3da4d8f4a3..77f3cd6c516e 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -4669,7 +4669,7 @@ enum sctp_disposition sctp_sf_violation(struct net *net, { struct sctp_chunk *chunk = arg; - if (!sctp_vtag_verify(chunk, asoc)) + if (asoc && !sctp_vtag_verify(chunk, asoc)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); /* Make sure that the chunk has a valid length. */ -- 2.7.4