summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorAlexey Simakov <bigalex934@gmail.com>2025-10-21 16:00:36 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2025-10-29 14:01:21 +0100
commit08165c296597075763130919f2aae59b5822f016 (patch)
tree0ed3dcfba4afa66bc6589ba057bb0cb3417d4681 /net
parent6e8614d063f22ff980ec7416734fe837bf78bad6 (diff)
downloadlinux-08165c296597075763130919f2aae59b5822f016.tar.gz
linux-08165c296597075763130919f2aae59b5822f016.tar.bz2
linux-08165c296597075763130919f2aae59b5822f016.zip
sctp: avoid NULL dereference when chunk data buffer is missing
[ Upstream commit 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 ] chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. Fixes: 90017accff61 ("sctp: Add GSO support") Signed-off-by: Alexey Simakov <bigalex934@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Link: https://patch.msgid.link/20251021130034.6333-1-bigalex934@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
-rw-r--r--net/sctp/inqueue.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 7182c5a450fb..6a434d441dc7 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -163,13 +163,14 @@ next_chunk:
chunk->head_skb = chunk->skb;
/* skbs with "cover letter" */
- if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len)
+ if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len) {
+ if (WARN_ON(!skb_shinfo(chunk->skb)->frag_list)) {
+ __SCTP_INC_STATS(dev_net(chunk->skb->dev),
+ SCTP_MIB_IN_PKT_DISCARDS);
+ sctp_chunk_free(chunk);
+ goto next_chunk;
+ }
chunk->skb = skb_shinfo(chunk->skb)->frag_list;
-
- if (WARN_ON(!chunk->skb)) {
- __SCTP_INC_STATS(dev_net(chunk->skb->dev), SCTP_MIB_IN_PKT_DISCARDS);
- sctp_chunk_free(chunk);
- goto next_chunk;
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-06 20:35:20 +0000