Commit cdc3074c authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge branch 'sctp-fix-two-issues-in-sctp_clone_sock' 

Kuniyuki Iwashima says:

====================
sctp: Fix two issues in sctp_clone_sock().

syzbot reported two issues in sctp_clone_sock().

This series fixes the issues.

v1: https://lore.kernel.org/netdev/20251208133728.157648-1-kuniyu@google.com/
====================

Link: https://patch.msgid.link/20251210081206.1141086-1-kuniyu@google.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 15564bd6 d7ff61e6

net/sctp/ipv6.c

+2 −0
Original line number Diff line number Diff line
@@ -492,6 +492,8 @@ static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk) 
	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);

	struct ipv6_txoptions *opt;



	inet_sk(newsk)->inet_opt = NULL;



	newnp = inet6_sk(newsk);



	rcu_read_lock();

net/sctp/socket.c

+4 −3
Original line number Diff line number Diff line
@@ -4863,8 +4863,6 @@ static struct sock *sctp_clone_sock(struct sock *sk, 


	newsp->pf->to_sk_daddr(&asoc->peer.primary_addr, newsk);

	newinet->inet_dport = htons(asoc->peer.port);



	newsp->pf->copy_ip_options(sk, newsk);

	atomic_set(&newinet->inet_id, get_random_u16());



	inet_set_bit(MC_LOOP, newsk);
@@ -4874,17 +4872,20 @@ static struct sock *sctp_clone_sock(struct sock *sk, 


#if IS_ENABLED(CONFIG_IPV6)

	if (sk->sk_family == AF_INET6) {

		struct ipv6_pinfo *newnp = inet6_sk(newsk);

		struct ipv6_pinfo *newnp;



		newinet->pinet6 = &((struct sctp6_sock *)newsk)->inet6;

		newinet->ipv6_fl_list = NULL;



		newnp = inet6_sk(newsk);

		memcpy(newnp, inet6_sk(sk), sizeof(struct ipv6_pinfo));

		newnp->ipv6_mc_list = NULL;

		newnp->ipv6_ac_list = NULL;

	}

#endif



	newsp->pf->copy_ip_options(sk, newsk);



	newsp->do_auto_asconf = 0;

	skb_queue_head_init(&newsp->pd_lobby);