sctp_sf_do_5_2_6_stale() reads the 32-bit Measure of Staleness that follows the error header: stale = ntohl(*(__be32 *)((u8 *)err + sizeof(*err))); without checking that the STALE_COOKIE cause actually carries that 4-byte body. sctp_walk_errors() in the caller only requires err->length >= sizeof(struct sctp_errhdr), so a peer can send an 8-byte ERROR chunk whose sole STALE_COOKIE cause has length == 4 and no body. It passes sctp_chunk_length_valid() (>= 8) and the error walk, yet the staleness read reaches past the validated cause. When that is the only chunk in the packet the cause ends exactly at skb_tail (sctp_inq_pop() discards only when chunk_end > skb_tail), so the read stays in-bounds of the skb head slab object but past the packet data. The value is folded into the COOKIE_PRESERVATIVE parameter of the retransmitted INIT and reflected to the peer, leaking adjacent kernel slab bytes. Discard the chunk when the staleness field falls outside the validated chunk data. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Weiming Shi Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei --- net/sctp/sm_statefuns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index d23d935e128e..e4b4b63162cf 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -2592,6 +2592,9 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale( err = (struct sctp_errhdr *)(chunk->skb->data); + if ((u8 *)err + sizeof(*err) + sizeof(__be32) > chunk->chunk_end) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* When calculating the time extension, an implementation * SHOULD use the RTT information measured based on the * previous COOKIE ECHO / ERROR exchange, and should add no -- 2.43.0