2327194 – (CVE-2024-50299) CVE-2024-50299 kernel: sctp: properly validate chunk size in sctp_sf_ootb()

Bug 2327194 (CVE-2024-50299) - CVE-2024-50299 kernel: sctp: properly validate chunk size in sctp_sf_ootb()

Summary: CVE-2024-50299 kernel: sctp: properly validate chunk size in sctp_sf_ootb()

Keywords:
Status:	NEW
Alias:	CVE-2024-50299
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2327226
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-19 02:03 UTC by OSIDB Bzimport
Modified:	2025-05-13 08:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:6966	0	None	None	None	2025-05-13 08:35:25 UTC

Description OSIDB Bzimport 2024-11-19 02:03:07 UTC

In the Linux kernel, the following vulnerability has been resolved:

sctp: properly validate chunk size in sctp_sf_ootb()

A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:

  BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
  sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
  sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
  sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
  sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
  ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233

Comment 1 Avinash Hanwate 2024-11-19 04:45:26 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024111904-CVE-2024-50299-795d@gregkh/T

Comment 2 errata-xmlrpc 2025-05-13 08:35:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:6966 https://access.redhat.com/errata/RHSA-2025:6966

Note You need to log in before you can comment on or make changes to this bug.