The function set_sadb_address() calls the function pfkey_sockaddr_fill(), but does not check its return value. A proper implementation can be found in set_sadb_kmaddress().
Add an error check for set_sadb_address(), return error code if the function fails.
Fixes: e5b56652c11b ("key: Share common code path to fill sockaddr{}.") Cc: stable@vger.kernel.org # v2.6 Signed-off-by: Wentao Liang vulab@iscas.ac.cn --- net/key/af_key.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c index c56bb4f451e6..537c9604e356 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3474,15 +3474,17 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, switch (type) { case SADB_EXT_ADDRESS_SRC: addr->sadb_address_prefixlen = sel->prefixlen_s; - pfkey_sockaddr_fill(&sel->saddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + if (!pfkey_sockaddr_fill(&sel->saddr, 0, + (struct sockaddr *)(addr + 1), + sel->family)) + return -EINVAL; break; case SADB_EXT_ADDRESS_DST: addr->sadb_address_prefixlen = sel->prefixlen_d; - pfkey_sockaddr_fill(&sel->daddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + if (!pfkey_sockaddr_fill(&sel->daddr, 0, + (struct sockaddr *)(addr + 1), + sel->family)) + return -EINVAL; break; default: return -EINVAL;
On Sun, May 25, 2025 at 11:53:50PM +0800, Wentao Liang wrote:
The function set_sadb_address() calls the function pfkey_sockaddr_fill(), but does not check its return value. A proper implementation can be found in set_sadb_kmaddress().
Add an error check for set_sadb_address(), return error code if the function fails.
Fixes: e5b56652c11b ("key: Share common code path to fill sockaddr{}.") Cc: stable@vger.kernel.org # v2.6 Signed-off-by: Wentao Liang vulab@iscas.ac.cn
net/key/af_key.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c index c56bb4f451e6..537c9604e356 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3474,15 +3474,17 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, switch (type) { case SADB_EXT_ADDRESS_SRC: addr->sadb_address_prefixlen = sel->prefixlen_s;
pfkey_sockaddr_fill(&sel->saddr, 0,(struct sockaddr *)(addr + 1),sel->family);
if (!pfkey_sockaddr_fill(&sel->saddr, 0,(struct sockaddr *)(addr + 1),sel->family))return -EINVAL;
pfkey_sockaddr_fill(&sel->daddr, 0,(struct sockaddr *)(addr + 1),sel->family);
if (!pfkey_sockaddr_fill(&sel->daddr, 0,(struct sockaddr *)(addr + 1),sel->family))return -EINVAL;
There are few other calls to pfkey_sockaddr_fill() without checking, but family is already checked in such case, so it is fine.
Reviewed-by: Michal Swiatkowski michal.swiatkowski@linux.intel.com
I am not sure if it should be a fix. If family is set there is no problem. Probably it is set in all cases. Maybe you should target it to net-next, but as I said, I am not sure.
Thanks
-- 2.42.0.windows.2
On Sun, 25 May 2025 23:53:50 +0800 Wentao Liang wrote:
The function set_sadb_address() calls the function pfkey_sockaddr_fill(), but does not check its return value. A proper implementation can be found in set_sadb_kmaddress().
Add an error check for set_sadb_address(), return error code if the function fails.
Please look at the callers, and you'll find out that the family has already been validated.
linux-stable-mirror@lists.linaro.org
-
Jakub Kicinski -
Michal Swiatkowski -
Wentao Liang