From b1298215f873c1e98850ee13a312f422f15f13ff Mon Sep 17 00:00:00 2001
From: Ranganath V N <vnranganath.20@gmail.com>
Date: Thu, 23 Oct 2025 15:14:20 +0530
Subject: [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.

BUG: KMSAN: uninit-value in sctp_inq_pop

skb allocated in sctp_packet_transmit() contain uninitialized bytes.
sctp transmit path writes only the necessary header and chunk data,
the receive path read from uinitialized parts of the skb, triggering KMSAN.

Fix this by explicitly zeroing the skb payload area after allocation
and reservation, ensuring all future reads from this region are fully
initialized.

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
 net/sctp/input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 7e99894778d4..e119e460ccde 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -190,7 +190,7 @@ int sctp_rcv(struct sk_buff *skb)
 		goto discard_release;
 	nf_reset_ct(skb);
 
-	if (sk_filter(sk, skb))
+	if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
 		goto discard_release;
 
 	/* Create an SCTP packet structure. */
-- 
2.43.0