In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
| Vendor | Product | Versions |
|---|---|---|
| linux | linux kernel | df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, df21857714398acb8b24a8bb5a6d2286dd9c59ef, 2.6.25 |
Updated description with detailed technical information, added new affected versions, and marked exploit availability and active exploitation status as true.
Updated severity to CRITICAL, added affected version 7.0.12, and corrected exploit availability to false.
Initial creation
