sctp: Prevent TOCTOU out-of-bounds write

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

For the following path not holding the sock lock,

sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()

make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).

Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Stefan Wiehler and committed by

Jakub Kicinski 5 months ago 95aef86a 38f50242

1 changed file

expand all

net

sctp

diag.c

net/sctp/diag.c

··· 88 88 memcpy(info, &laddr->a, sizeof(laddr->a)); 89 89 memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); 90 90 info += addrlen; 91 + 92 + if (!--addrcnt) 93 + break; 91 94 } 92 95 rcu_read_unlock(); 93 96