asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net/sctp
History
Xin Long 8c630a7b4f sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb 
[ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ]

We should always check if skb_header_pointer's return is NULL before
using it, otherwise it may cause null-ptr-deref, as syzbot reported:

  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
  RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
  Call Trace:
  <IRQ>
   sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
   ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
   ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
   NF_HOOK include/linux/netfilter.h:307 [inline]
   NF_HOOK include/linux/netfilter.h:301 [inline]
   ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
   dst_input include/net/dst.h:460 [inline]
   ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
   NF_HOOK include/linux/netfilter.h:307 [inline]
   NF_HOOK include/linux/netfilter.h:301 [inline]
   ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297

Fixes: 3acb50c18d ("sctp: delay as much as possible skb_linearize")
Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06 15:31:22 +02:00
..
associola.c
auth.c sctp: move the active_key update after sh_keys is added 2021-08-12 13:19:39 +02:00
bind_addr.c sctp: validate from_addr_param return 2021-07-20 16:16:03 +02:00
chunk.c
debug.c
diag.c
endpointola.c
input.c sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb 2021-10-06 15:31:22 +02:00
inqueue.c
ipv6.c sctp: validate from_addr_param return 2021-07-20 16:16:03 +02:00
Kconfig
Makefile
objcnt.c
offload.c
output.c
outqueue.c
primitive.c
proc.c net: fix iteration for sctp transport seq_files 2021-02-23 15:00:58 +01:00
protocol.c sctp: move 198 addresses from unusable to private scope 2021-07-31 08:22:38 +02:00
sm_make_chunk.c sctp: add param size validation for SCTP_PARAM_SET_PRIMARY 2021-09-26 13:39:47 +02:00
sm_sideeffect.c sctp: change to hold/put transport for proto_unreach_timer 2020-11-24 13:27:18 +01:00
sm_statefuns.c sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b 2021-05-22 10:59:43 +02:00
sm_statetable.c
socket.c sctp: delay auto_asconf init until binding the first addr 2021-05-22 10:59:39 +02:00
stream.c
stream_interleave.c
stream_sched.c
stream_sched_prio.c
stream_sched_rr.c
sysctl.c
transport.c sctp: change to hold/put transport for proto_unreach_timer 2020-11-24 13:27:18 +01:00
tsnmap.c
ulpevent.c
ulpqueue.c