From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EC91C433F5 for ; Mon, 4 Oct 2021 13:22:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E5EF061002 for ; Mon, 4 Oct 2021 13:22:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236119AbhJDNYU (ORCPT ); Mon, 4 Oct 2021 09:24:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:37266 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236390AbhJDNVa (ORCPT ); Mon, 4 Oct 2021 09:21:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 95E5861BD4; Mon, 4 Oct 2021 13:09:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633352960; bh=63BZD+TwkvZUjFJ4LiCBPySeHyYT9QY60f+AVHD36qo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SMe0f7B9pePJyyUrnGIR/jQ8Grqf2uLKGe+W03c0jrNN5b4fUWTsEoMbK8KQHZ+uB veXhP3ykE9xDOsRcZrIJ44tTB818AL5rLqZc/Ip6cfO+zRirOWMxHx1ks1apjcKGOV w9f/arKRIaj4yzsee/O/ne5Uo7XTi6ikob7qznnc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com, Xin Long , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 35/93] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Date: Mon, 4 Oct 2021 14:52:33 +0200 Message-Id: <20211004125035.721418591@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211004125034.579439135@linuxfoundation.org> References: <20211004125034.579439135@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ] We should always check if skb_header_pointer's return is NULL before using it, otherwise it may cause null-ptr-deref, as syzbot reported: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 Call Trace: sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109 ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422 ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297 Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize") Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sctp/input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/input.c b/net/sctp/input.c index 49c49a4d203f..34494a0b28bd 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -677,7 +677,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb) ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch); /* Break out if chunk length is less then minimal. */ - if (ntohs(ch->length) < sizeof(_ch)) + if (!ch || ntohs(ch->length) < sizeof(_ch)) break; ch_end = offset + SCTP_PAD4(ntohs(ch->length)); -- 2.33.0