From: Xin Long <lucien.xin@xxxxxxxxx> Date: Mon, 9 Dec 2019 13:45:54 +0800 > Syzbot found a crash: ... > The issue was caused by transport->ipaddr set with uninit addr param, which > was passed by: > > sctp_transport_init net/sctp/transport.c:47 [inline] > sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 > sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 > sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] > > where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize > the padding of addr->v4. > > Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) > will become the part of skb, and the issue occurs. > > This patch is to fix it by initializing the padding of addr->v4 in > sctp_v4_from_addr_param(), as well as other functions that do the similar > thing, and these functions shouldn't trust that the caller initializes the > memory, as Marcelo suggested. > > Reported-by: syzbot+6dcbfea81cd3d4dd0b02@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> Applied and queued up for -stable, thanks.
