sctp: Prevent TOCTOU out-of-bounds write

[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use). Suggested-by: Kuniyuki Iwashima <kuniyu@google.com> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Acked-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Stefan Wiehler <stefan.wiehler@nokia.com> 2025-10-28 17:12:27 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-03 12:45:15 +0100
commit: b106a68df0650b694b254427cd9250c04500edd3 (patch)
tree: 64652a26e65d0641098b20221d5bb598feac7531
parent: 5add5db8b1edd9ae73c5228773cfa2e9dd95e9e5 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index fd7a55b3049d..641e52b9099d 100644
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
 		memcpy(info, &laddr->a, sizeof(laddr->a));
 		memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
 		info += addrlen;
+
+		if (!--addrcnt)
+			break;
 	}
 	rcu_read_unlock();
author	Stefan Wiehler <stefan.wiehler@nokia.com>	2025-10-28 17:12:27 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-12-03 12:45:15 +0100
commit	b106a68df0650b694b254427cd9250c04500edd3 (patch)
tree	64652a26e65d0641098b20221d5bb598feac7531
parent	5add5db8b1edd9ae73c5228773cfa2e9dd95e9e5 (diff)