tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

xfrm: account XFRMA_IF_ID in aevent size calculation

xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
set.

xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
panic.

Account XFRMA_IF_ID in the size calculation unconditionally and replace
the BUG_ON with normal error unwinding.

Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

authored by

Keenan Dong and committed by
Steffen Klassert 7081d46d 71a98248

+8 -2
+8 -2
net/xfrm/xfrm_user.c
··· 2677 2677 + nla_total_size(4) /* XFRM_AE_RTHR */ 2678 2678 + nla_total_size(4) /* XFRM_AE_ETHR */ 2679 2679 + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ 2680 - + nla_total_size(4); /* XFRMA_SA_PCPU */ 2680 + + nla_total_size(4) /* XFRMA_SA_PCPU */ 2681 + + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */ 2681 2682 } 2682 2683 2683 2684 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) ··· 2790 2789 c.portid = nlh->nlmsg_pid; 2791 2790 2792 2791 err = build_aevent(r_skb, x, &c); 2793 - BUG_ON(err < 0); 2792 + if (err < 0) { 2793 + spin_unlock_bh(&x->lock); 2794 + xfrm_state_put(x); 2795 + kfree_skb(r_skb); 2796 + return err; 2797 + } 2794 2798 2795 2799 err = nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, NETLINK_CB(skb).portid); 2796 2800 spin_unlock_bh(&x->lock);