OpenCloudOS-Kernel/net/sctp
Dmitry Antipov 84c176fbec net: sctp: fix skb leak in sctp_inq_free()
[ Upstream commit 4e45170d9acc2d5ae8f545bf3f2f67504a361338 ]

In case of GSO, 'chunk->skb' pointer may point to an entry from
fraglist created in 'sctp_packet_gso_append()'. To avoid freeing
random fraglist entry (and so undefined behavior and/or memory
leak), introduce 'sctp_inq_chunk_free()' helper to ensure that
'chunk->skb' is set to 'chunk->head_skb' (i.e. fraglist head)
before calling 'sctp_chunk_free()', and use the aforementioned
helper in 'sctp_inq_pop()' as well.

Reported-by: syzbot+8bb053b5d63595ab47db@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=0d8351bbe54fd04a492c2daab0164138db008042
Fixes: 90017accff ("sctp: Add GSO support")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/20240214082224.10168-1-dmantipov@yandex.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-08-19 06:04:27 +02:00
..
Kconfig sctp: create udp4 sock and add its encap_rcv 2020-10-30 15:23:52 -07:00
Makefile sctp: add fair capacity stream scheduler 2023-03-09 11:31:44 +01:00
associola.c sctp: update transport state when processing a dupcook packet 2023-10-04 17:29:44 -07:00
auth.c sctp: delete the nested flexible array hmac 2023-04-21 08:19:30 +01:00
bind_addr.c sctp: fail if no bound addresses can be used for a given scope 2023-01-24 18:32:33 -08:00
chunk.c net: sctp: chunk.c: delete duplicated word 2020-08-24 16:21:43 -07:00
debug.c sctp: add the probe timer in transport for PLPMTUD 2021-06-22 11:28:52 -07:00
diag.c sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list 2023-02-10 19:28:29 -08:00
endpointola.c sctp: add dif and sdif check in asoc and ep lookup 2022-11-18 11:42:54 +00:00
input.c sctp: Fix null-ptr-deref in reuseport_add_sock(). 2024-08-14 13:58:39 +02:00
inqueue.c net: sctp: fix skb leak in sctp_inq_free() 2024-08-19 06:04:27 +02:00
ipv6.c net: annotate lockless accesses to sk->sk_err_soft 2023-03-17 08:25:05 +00:00
objcnt.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
offload.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
output.c net: allow gso_max_size to exceed 65536 2022-05-16 10:18:55 +01:00
outqueue.c sctp: delete the nested flexible array variable 2023-04-21 08:19:29 +01:00
primitive.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
proc.c sctp: annotate data-races around sk->sk_wmem_queued 2023-08-31 11:56:59 +02:00
protocol.c inet: move inet->freebind to inet->inet_flags 2023-08-16 11:09:17 +01:00
sm_make_chunk.c sctp: delete the nested flexible array peer_init 2023-04-21 08:19:30 +01:00
sm_sideeffect.c sctp: handle invalid error codes without calling BUG() 2023-06-12 09:36:27 +01:00
sm_statefuns.c sctp: fix an error code in sctp_sf_eat_auth() 2023-06-12 09:36:27 +01:00
sm_statetable.c sctp: add the probe timer in transport for PLPMTUD 2021-06-22 11:28:52 -07:00
socket.c sctp: prefer struct_size over open coded arithmetic 2024-07-11 12:49:06 +02:00
stream.c sctp: delete the nested flexible array params 2023-04-21 08:19:29 +01:00
stream_interleave.c sctp: delete the nested flexible array skip 2023-04-21 08:19:29 +01:00
stream_sched.c sctp: fix a potential OOB access in sctp_sched_set_sched() 2023-05-10 12:10:15 +01:00
stream_sched_fc.c sctp: add weighted fair queueing stream scheduler 2023-03-09 11:31:44 +01:00
stream_sched_prio.c sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop 2023-02-23 12:59:40 -08:00
stream_sched_rr.c sctp: delete free member from struct sctp_sched_ops 2022-12-01 20:14:23 -08:00
sysctl.c networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
transport.c sctp: fix an issue that plpmtu can never go to complete state 2023-05-22 11:05:20 +01:00
tsnmap.c net: sctp: trivial: fix typo in comment 2021-03-04 13:48:32 -08:00
ulpevent.c net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
ulpqueue.c sctp: remove unnecessary NULL check in sctp_ulpq_tail_event() 2022-10-20 21:43:10 -07:00