From: Alexandr Sapozhnikov Date: Thu, 2 Oct 2025 09:14:47 +0000 (+0300) Subject: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() X-Git-Tag: v6.1.157~134 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=025419f4e216a3ae0d0cec622262e98e8078c447;p=thirdparty%2Fkernel%2Fstable.git net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() [ Upstream commit 2f3119686ef50319490ccaec81a575973da98815 ] If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. Signed-off-by: Alexandr Sapozhnikov Acked-by: Xin Long Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT") Link: https://patch.msgid.link/20251002091448.11-1-alsp705@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 4848d5d50a5f5..1ca9073c95835 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -885,7 +885,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, return SCTP_DISPOSITION_CONSUME; nomem_authev: - sctp_ulpevent_free(ai_ev); + if (ai_ev) + sctp_ulpevent_free(ai_ev); nomem_aiev: sctp_ulpevent_free(ev); nomem_ev: