sctp: Prevent TOCTOU out-of-bounds write

[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ]

For the following path not holding the sock lock,

  sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()

make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).

Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index dadf8254b30fdef9e8c8b5270d5256c14e480b9d..95e65b9d623b3b21072fa91521eb14c25711c3f4 100644 (file)
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
                memcpy(info, &laddr->a, sizeof(laddr->a));
                memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
                info += addrlen;
+
+               if (!--addrcnt)
+                       break;
        }
        rcu_read_unlock();