[PATCH 2/2] sctp: auth: Fix safety issue when skb_clone fails in auth_chunk handling

From: luoqing

Date: Thu Jul 16 2026 - 02:54:26 EST


From: luoqing <luoqing@xxxxxxxxxx>

When processing AUTH + COOKIE-ECHO packets, if skb_clone fails due to
memory pressure, chunk->auth_chunk is set to NULL but chunk->auth is
still set to 1. This causes sctp_auth_chunk_verify to skip the AUTH
validation (since auth_chunk is NULL), allowing unauthenticated
COOKIE-ECHO packets to be accepted.

Fix this by only setting chunk->auth = 1 when skb_clone succeeds.

Signed-off-by: luoqing <luoqing@xxxxxxxxxx>
---
net/sctp/associola.c | 3 ++-
net/sctp/endpointola.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 62d3cc155809..e54068305396 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -999,7 +999,8 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {
chunk->auth_chunk = skb_clone(chunk->skb,
GFP_ATOMIC);
- chunk->auth = 1;
+ if (chunk->auth_chunk)
+ chunk->auth = 1;
continue;
}
}
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index dfb1719275db..3419748c66bc 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -368,7 +368,8 @@ static void sctp_endpoint_bh_rcv(struct work_struct *work)
if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {
chunk->auth_chunk = skb_clone(chunk->skb,
GFP_ATOMIC);
- chunk->auth = 1;
+ if (chunk->auth_chunk)
+ chunk->auth = 1;
continue;
}
}
--
2.25.1