Re: [PATCH net] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks

Next message: Dmitry Baryshkov: "[PATCH] wifi: ath10k: snoc: select POWER_SEQUENCING"
Previous message: Jakub Kicinski: "Re: [PATCH net v6 2/2] pppoe: drop PFC frames"
In reply to: Xin Long: "Re: [PATCH net] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Sat Apr 18 2026 - 15:30:49 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Wed, 15 Apr 2026 23:19:03 -0400 you wrote:
> sctp_getsockopt_peer_auth_chunks() checks that the caller's optval
> buffer is large enough for the peer AUTH chunk list with
>
> if (len < num_chunks)
> return -EINVAL;
>
> but then writes num_chunks bytes to p->gauth_chunks, which lives
> at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8
> inside optval. The check is missing the sizeof(struct
> sctp_authchunks) = 8-byte header. When the caller supplies
> len == num_chunks (for any num_chunks > 0) the test passes but
> copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes
> past the declared buffer.
>
> [...]

Here is the summary with links:
- [net] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
https://git.kernel.org/netdev/net/c/0cf004ffb61c

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html