__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop"). Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well") Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito --- v2: - Regenerate from net/main so the patch has index lines and applies cleanly (Xin Long). - Use unsigned int for the decoded length and compare it against the remaining parameter space after the ADDIP header (David Laight). v1: https://lore.kernel.org/all/20260604175803.2142975-1-michael.bommarito@gmail.com/ net/sctp/input.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/sctp/input.c b/net/sctp/input.c index e119e460ccde0..c63d42500aa28 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1197,13 +1197,26 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( struct sctp_af *af; union sctp_addr_param *param; union sctp_addr paddr; + unsigned int param_space; + unsigned int plen; if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr)) return NULL; + param_space = ntohs(ch->length) - sizeof(*asconf); + /* Skip over the ADDIP header and find the Address parameter */ param = (union sctp_addr_param *)(asconf + 1); + /* The whole address parameter must lie within the chunk before + * af->from_addr_param() reads the variable-length address; otherwise a + * truncated trailing ASCONF chunk lets it read uninitialized bytes past + * the parameter. + */ + plen = ntohs(param->p.length); + if (plen < sizeof(struct sctp_paramhdr) || plen > param_space) + return NULL; + af = sctp_get_af_specific(param_type2af(param->p.type)); if (unlikely(!af)) return NULL; -- 2.53.0