Commit 51e5ad54 authored by Ranganath V N's avatar Ranganath V N Committed by Paolo Abeni
Browse files

net: sctp: fix KMSAN uninit-value in sctp_inq_pop 



Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop

The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:

        if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
                       skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().

Reported-by: default avatar <syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com>
Tested-by: default avatar <syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7


Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Suggested-by: default avatarXin Long <lucien.xin@gmail.com>
Signed-off-by: default avatarRanganath V N <vnranganath.20@gmail.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251026-kmsan_fix-v3-1-2634a409fa5f@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent 6a2108c7
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment