From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFB6B405F7 for ; Tue, 7 Jul 2026 20:32:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783456342; cv=none; b=Zq1ydpfX5hg4grkx/M3V1tr9XRVkl/eqqlMuF0Pr044wOIhlkaeINn6ICv7bJeFU9bjtQf7x/duzhdMdjAYIxOBD6VYnX5icScGLksv8njThh8PsuLtSQsIWg4+pFygXlAuy/O4rG92QxemdOaj6c5gnKlk+yzxZcuX6WjXFXG4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783456342; c=relaxed/simple; bh=YwKMoHINoonDDV2XuHlbEOT76MQPbOs3105Ny8tsYhY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=apur2is8GxM8ZTEzlgzyIrGIi/SLMZ82S10HO5pdI2yBNeD3eYDYKblMp2iAeBEavBSgFgD1vvJVVBCTBieCR8YVvEQbD0r3LMHiBstZUYFPkL5LrHTdFPKaS2FxpiAfZ8pzNln2UVqeUnadEEaWCKMScC34jYcQtu2FzSSzhUM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Yjm34Nop; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yjm34Nop" Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-388b404ea89so610180a91.0 for ; Tue, 07 Jul 2026 13:32:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783456340; x=1784061140; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tBtQp7kflpRbuYZ47bjRgNEVT72fjkLE3FQ1IUzhIiI=; b=Yjm34Nopqe7czHIhvDjrny5PfJu+irF1IyQ3jINxTeNRZifN0EHmSH5Z17thHi0BPz DKCkUgM36MmbVqaDRLsPXvnsss/g4snHzhdITGGX/SpsRIoCounKLfIGipDvovjQbi6w ik2NbQi8QtXGGKiEs5GiPQva8fpmxCc/G+xr3tu9P6z09hthjEbjmaow0ZXx4wZCIHnq 2Ltkv6eQT4gJYTdBJdE2d+PYowQhcqer2Vjwl2LIBGvpYJ5jjKbDlJLqQHM+d8Glh/5y aVTC1bCxkP5WNOVb5c/1lNfDuR1tlZTgLx3UiFvHoYiKzi0i1BsoWw+prGl5q3ixXRAr CDLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783456340; x=1784061140; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tBtQp7kflpRbuYZ47bjRgNEVT72fjkLE3FQ1IUzhIiI=; b=Fwr4a1bPZvJyL/vFnwg2AgaUKtrHq2H34fYEeO5R/GQVfOzYmQRwMZJ9xvpeCRJC2U YC4ayimFTXziguaXxKo4bqjIWhWAlTVco5kxvQc12MOSpwxT4cmBCV8aaFy7zst7Mi4j rtXgyX010u3CL14Yfq+fMK+omhcLPeVH3lzixww0CGrobHQl2ElVLdETaLgeEM/tOt54 w5FKJkU8tDM0BsZRqTpb0ATj2wWfCZ/B5rl7Di6ufiDtCp/QI2r5cK0lKYQkpQ9PybLQ Z/zxZks9mi8b1dJXeHW8aiwJCbVVPovI7Tk5nWTw0jmLNw6+mjO4C7cTZBYIqTG52RSD p0Kg== X-Forwarded-Encrypted: i=1; AHgh+Ro/r/R3UahnKujsxLjuHa4VhT8fL/N0Bw/kQ3ZBViCZJeOojcphkasGY+reRtxsKX3BF30WkofAY8uGE8Q=@vger.kernel.org X-Gm-Message-State: AOJu0YyfF10w4c0rNd+4P39mUbC133/lK5MX3IZo5KjSmPjt9rjoeh/m XwZkCwdwOcJEytkd0rO5dEoDA7lnWZaBbsCHUGEYPFrLKbD7OOzSVcCg X-Gm-Gg: AfdE7cmbwSUMbVblsyH/hYJ1rDpKMKblpVv4zGZuLBInNy35vUPTXObRbix1S6ODLIc Uk8lzt9DTno8sokSSSBajHxs2UZqQ+JYf3bJTTaOtJzgOKm4FfIERwbauDQ/MqhDmPbnIvx7ga/ zMstWzXOOml+dgHxQvU9NcXFlZqS3FKC1/Cyx9iZSBTTWcmBc09KYDDYtNvDwwN9Zu5YYthd+rl cYp1gJzk+ba9t56pK3Ni2psAScvm9rKZRZU5c86P8r62MC/1ZmUCU9V7jVP5iV2wbNJ5Ve7HmAk swjYPnYHMPS5hRhXRf6RdUUTzjHEayeOM2Z4hci5RvHEGMnWHWX8//ga7Og16n3chzRp+TDi93n +CLyOIhB8PlIkflQoYir4bFsmq9Znfa04aetzG4whGKSlfUVS2InLHb/5MQgMLrl7lMOtEkrvC5 uPoYwvDR/+Mz/mvWFwybK2Y6o7q4+6zA== X-Received: by 2002:a17:90b:3c0b:b0:37e:1620:dabc with SMTP id 98e67ed59e1d1-387d42509d8mr4052426a91.0.1783456340179; Tue, 07 Jul 2026 13:32:20 -0700 (PDT) Received: from LAPTOP-83ECOPAB.localdomain ([167.220.148.19]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-387d19da395sm1808917a91.8.2026.07.07.13.32.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2026 13:32:19 -0700 (PDT) From: "Cen Zhang (Microsoft)" To: marcelo.leitner@gmail.com, lucien.xin@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: horms@kernel.org, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, AutonomousCodeSecurity@microsoft.com, tgopinath@linux.microsoft.com, kys@microsoft.com, blbllhy@gmail.com Subject: [PATCH net] sctp: validate stream count in sctp_process_strreset_inreq() Date: Tue, 7 Jul 2026 16:32:15 -0400 Message-ID: <20260707203215.2752-1-blbllhy@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When processing a RESET_IN_REQUEST from a peer, sctp_process_strreset_inreq() derives the stream count from the parameter length but does not check whether the resulting RESET_OUT_REQUEST response would exceed SCTP_MAX_CHUNK_LEN. The OUT request header (sctp_strreset_outreq, 16 bytes) is 8 bytes larger than the IN request header (sctp_strreset_inreq, 8 bytes). Generally, the IP payload is bounded to 65535 bytes, so the stream list cannot be large enough to trigger the overflow. However, on interfaces with MTU > 65535 (e.g., loopback with IPv6 jumbograms), a stream list that fits within the incoming IN parameter can cause a __u16 overflow in sctp_make_strreset_req() when computing the OUT response size, leading to an undersized skb allocation, raising a kernel BUG: net/core/skbuff.c:207 skb_panic net/core/skbuff.c:2625 skb_put net/sctp/sm_make_chunk.c:1535 sctp_addto_chunk net/sctp/sm_make_chunk.c:3695 sctp_make_strreset_req net/sctp/stream.c:655 sctp_process_strreset_inreq The local setsockopt path (sctp_send_reset_streams) already performs length validation, but the network packet path does not. Fix by adding similar length check before calling sctp_make_strreset_req(). Fixes: 7f9d68ac944e ("sctp: implement sender-side procedures for SSN Reset Request Parameter") Reported-by: AutonomousCodeSecurity@microsoft.com Signed-off-by: Cen Zhang (Microsoft) --- net/sctp/stream.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/sctp/stream.c b/net/sctp/stream.c index 5c2fdedea..ea3805712 100644 --- a/net/sctp/stream.c +++ b/net/sctp/stream.c @@ -639,6 +639,10 @@ struct sctp_chunk *sctp_process_strreset_inreq( nums = (ntohs(param.p->length) - sizeof(*inreq)) / sizeof(__u16); str_p = inreq->list_of_streams; + if (nums * sizeof(__u16) + sizeof(struct sctp_strreset_outreq) + > SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_reconf_chunk)) { + goto out; + } for (i = 0; i < nums; i++) { if (ntohs(str_p[i]) >= stream->outcnt) { result = SCTP_STRRESET_ERR_WRONG_SSN; -- 2.53.0