Skip to content

Commit 7172c8c

Browse files
kuba-mookuba-moo
committed
Merge branch 'fix-sctp-diag-locking-issues'
Stefan Wiehler says: ==================== Fix SCTP diag locking issues - Hold RCU read lock while iterating over address list in inet_diag_msg_sctpaddrs_fill() - Prevent TOCTOU out-of-bounds write - Hold sock lock while iterating over address list in sctp_sock_dump_one() ==================== Link: https://patch.msgid.link/20251028161506.3294376-1-stefan.wiehler@nokia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2 parents 99ae067 + f1fc201 commit 7172c8c

File tree

1 file changed

+16
-5
lines changed

1 file changed

+16
-5
lines changed

net/sctp/diag.c

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -73,19 +73,26 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
7373
struct nlattr *attr;
7474
void *info = NULL;
7575

76+
rcu_read_lock();
7677
list_for_each_entry_rcu(laddr, address_list, list)
7778
addrcnt++;
79+
rcu_read_unlock();
7880

7981
attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt);
8082
if (!attr)
8183
return -EMSGSIZE;
8284

8385
info = nla_data(attr);
86+
rcu_read_lock();
8487
list_for_each_entry_rcu(laddr, address_list, list) {
8588
memcpy(info, &laddr->a, sizeof(laddr->a));
8689
memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
8790
info += addrlen;
91+
92+
if (!--addrcnt)
93+
break;
8894
}
95+
rcu_read_unlock();
8996

9097
return 0;
9198
}
@@ -223,14 +230,15 @@ struct sctp_comm_param {
223230
bool net_admin;
224231
};
225232

226-
static size_t inet_assoc_attr_size(struct sctp_association *asoc)
233+
static size_t inet_assoc_attr_size(struct sock *sk,
234+
struct sctp_association *asoc)
227235
{
228236
int addrlen = sizeof(struct sockaddr_storage);
229237
int addrcnt = 0;
230238
struct sctp_sockaddr_entry *laddr;
231239

232240
list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list,
233-
list)
241+
list, lockdep_sock_is_held(sk))
234242
addrcnt++;
235243

236244
return nla_total_size(sizeof(struct sctp_info))
@@ -256,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t
256264
if (err)
257265
return err;
258266

259-
rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL);
260-
if (!rep)
267+
lock_sock(sk);
268+
269+
rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
270+
if (!rep) {
271+
release_sock(sk);
261272
return -ENOMEM;
273+
}
262274

263-
lock_sock(sk);
264275
if (ep != assoc->ep) {
265276
err = -EAGAIN;
266277
goto out;

0 commit comments

Comments
 (0)