Merge branch 'sctp-fix-two-issues-in-sctp_clone_sock'

Kuniyuki Iwashima says: ==================== sctp: Fix two issues in sctp_clone_sock(). syzbot reported two issues in sctp_clone_sock(). This series fixes the issues. v1: https://lore.kernel.org/netdev/20251208133728.157648-1-kuniyu@google.com/ ==================== Link: https://patch.msgid.link/20251210081206.1141086-1-kuniyu@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2025-12-27 08:45:26 -05:00 · 2025-12-18 16:18:02 +01:00
parent 15564bd67e d7ff61e6f3
commit cdc3074c00
2 changed files with 6 additions and 3 deletions
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -492,6 +492,8 @@ static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
 	struct ipv6_txoptions *opt;

+	inet_sk(newsk)->inet_opt = NULL;
+
 	newnp = inet6_sk(newsk);

 	rcu_read_lock();
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4863,8 +4863,6 @@ static struct sock *sctp_clone_sock(struct sock *sk,

 	newsp->pf->to_sk_daddr(&asoc->peer.primary_addr, newsk);
 	newinet->inet_dport = htons(asoc->peer.port);
-
-	newsp->pf->copy_ip_options(sk, newsk);
 	atomic_set(&newinet->inet_id, get_random_u16());

 	inet_set_bit(MC_LOOP, newsk);
@@ -4874,17 +4872,20 @@ static struct sock *sctp_clone_sock(struct sock *sk,

 #if IS_ENABLED(CONFIG_IPV6)
 	if (sk->sk_family == AF_INET6) {
-		struct ipv6_pinfo *newnp = inet6_sk(newsk);
+		struct ipv6_pinfo *newnp;

 		newinet->pinet6 = &((struct sctp6_sock *)newsk)->inet6;
 		newinet->ipv6_fl_list = NULL;

+		newnp = inet6_sk(newsk);
 		memcpy(newnp, inet6_sk(sk), sizeof(struct ipv6_pinfo));
 		newnp->ipv6_mc_list = NULL;
 		newnp->ipv6_ac_list = NULL;
 	}
 #endif

+	newsp->pf->copy_ip_options(sk, newsk);
+
 	newsp->do_auto_asconf = 0;
 	skb_queue_head_init(&newsp->pd_lobby);