]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
sctp: validate STALE_COOKIE cause length before reading staleness
authorWeiming Shi <bestswngs@gmail.com>
Sat, 4 Jul 2026 03:35:46 +0000 (20:35 -0700)
committerPaolo Abeni <pabeni@redhat.com>
Fri, 10 Jul 2026 14:51:34 +0000 (16:51 +0200)
When an ERROR chunk with a STALE_COOKIE cause is received in the
COOKIE_ECHOED state, sctp_sf_do_5_2_6_stale() reads the 4-byte Measure
of Staleness that follows the cause header:

err   = (struct sctp_errhdr *)(chunk->skb->data);
stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err)));

err is the first cause in the chunk, not the STALE_COOKIE cause that
caused the dispatch, and nothing guarantees the staleness field is
present. sctp_walk_errors() only requires a cause to be as long as the
4-byte header, so for a STALE_COOKIE cause of length 4 the read runs
past the cause, and for a minimal ERROR chunk past skb->tail. The value
is echoed to the peer in the Cookie Preservative of the reply INIT,
leaking uninitialized memory.

sctp_sf_cookie_echoed_err() already walks to the STALE_COOKIE cause, so
check its length there and pass it to sctp_sf_do_5_2_6_stale(), which
reads that cause instead of the first one. A STALE_COOKIE cause too
short to hold the staleness field is discarded.

The read is reachable by any peer that can drive an association into
COOKIE_ECHOED, including an unprivileged process using a raw SCTP socket
in a user and network namespace.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Cc: stable@vger.kernel.org
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260704033545.2438373-2-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
net/sctp/sm_statefuns.c

index d23d935e128e96e8917f3c7a600eb8cd220b5817..3893b44448b3816ec1359e49f150fd26a56a1165 100644 (file)
@@ -74,7 +74,8 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale(
                                        const struct sctp_association *asoc,
                                        const union sctp_subtype type,
                                        void *arg,
-                                       struct sctp_cmd_seq *commands);
+                                       struct sctp_cmd_seq *commands,
+                                       struct sctp_errhdr *err);
 static enum sctp_disposition sctp_sf_shut_8_4_5(
                                        struct net *net,
                                        const struct sctp_endpoint *ep,
@@ -2529,9 +2530,15 @@ enum sctp_disposition sctp_sf_cookie_echoed_err(
         * errors.
         */
        sctp_walk_errors(err, chunk->chunk_hdr) {
-               if (SCTP_ERROR_STALE_COOKIE == err->cause)
-                       return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
-                                                       arg, commands);
+               if (err->cause != SCTP_ERROR_STALE_COOKIE)
+                       continue;
+               /* The staleness is only meaningful if the cause is long
+                * enough to hold it; a shorter one is malformed.
+                */
+               if (ntohs(err->length) < sizeof(*err) + sizeof(__be32))
+                       break;
+               return sctp_sf_do_5_2_6_stale(net, ep, asoc, type,
+                                             arg, commands, err);
        }
 
        /* It is possible to have malformed error causes, and that
@@ -2573,13 +2580,13 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale(
                                        const struct sctp_association *asoc,
                                        const union sctp_subtype type,
                                        void *arg,
-                                       struct sctp_cmd_seq *commands)
+                                       struct sctp_cmd_seq *commands,
+                                       struct sctp_errhdr *err)
 {
        int attempts = asoc->init_err_counter + 1;
-       struct sctp_chunk *chunk = arg, *reply;
        struct sctp_cookie_preserve_param bht;
        struct sctp_bind_addr *bp;
-       struct sctp_errhdr *err;
+       struct sctp_chunk *reply;
        u32 stale;
 
        if (attempts > asoc->max_init_attempts) {
@@ -2590,8 +2597,6 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale(
                return SCTP_DISPOSITION_DELETE_TCB;
        }
 
-       err = (struct sctp_errhdr *)(chunk->skb->data);
-
        /* When calculating the time extension, an implementation
         * SHOULD use the RTT information measured based on the
         * previous COOKIE ECHO / ERROR exchange, and should add no