From: Dong Chenchen <dongchenchen2@huawei.com> hulk inclusion category: bugfix bugzilla: 188766 CVE: NA ---------------------------------------- The stream->incnt is used to record number of stream_in. sctp_stream_alloc_in() allocate array of incnt size for sctp_stream_in. If array is allocated successfully in sctp_stream_init(), stream->incnt should be updated with variable incnt. Fixes: 703397c74f8f5("sctp: leave the err path free in sctp_stream_init to sctp_stream_fre") Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> Reviewed-by: Liu Jian <liujian56@huawei.com> Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com> --- net/sctp/stream.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/sctp/stream.c b/net/sctp/stream.c index 435cbf4549e7..c500d4e22cda 100644 --- a/net/sctp/stream.c +++ b/net/sctp/stream.c @@ -242,7 +242,11 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, if (!incnt) return 0; - return sctp_stream_alloc_in(stream, incnt, gfp); + ret = sctp_stream_alloc_in(stream, incnt, gfp); + if (!ret) + stream->incnt = incnt; + + return ret; } int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid) -- 2.31.1