tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

sctp: avoid NULL dereference when chunk data buffer is missing

chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.

chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.

Fixes: 90017accff61 ("sctp: Add GSO support")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/20251021130034.6333-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Alexey Simakov and committed by
Jakub Kicinski 441f0647 a767957e

+7 -6
+7 -6
net/sctp/inqueue.c
··· 169 169 chunk->head_skb = chunk->skb; 170 170 171 171 /* skbs with "cover letter" */ 172 - if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len) 172 + if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len) { 173 + if (WARN_ON(!skb_shinfo(chunk->skb)->frag_list)) { 174 + __SCTP_INC_STATS(dev_net(chunk->skb->dev), 175 + SCTP_MIB_IN_PKT_DISCARDS); 176 + sctp_chunk_free(chunk); 177 + goto next_chunk; 178 + } 173 179 chunk->skb = skb_shinfo(chunk->skb)->frag_list; 174 - 175 - if (WARN_ON(!chunk->skb)) { 176 - __SCTP_INC_STATS(dev_net(chunk->skb->dev), SCTP_MIB_IN_PKT_DISCARDS); 177 - sctp_chunk_free(chunk); 178 - goto next_chunk; 179 180 } 180 181 } 181 182