Re: [PATCH net] xfrm: account XFRMA_IF_ID in aevent size calculation

Next message: Jacopo Mondi: "Re: [PATCH 10/14] media: rzg2l-cru: Manually track active slot number"
Previous message: Jacopo Mondi: "Re: [PATCH 13/14] media: rzg2l-cru: Remove the 'state' variable"
In reply to: Keenan Dong: "Re: [PATCH net] xfrm: account XFRMA_IF_ID in aevent size calculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Steffen Klassert

Date: Tue Mar 31 2026 - 03:53:52 EST

On Thu, Mar 26, 2026 at 08:36:39PM +0800, Keenan Dong wrote:
> xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
> build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
> set.
>
> xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
> with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
> in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
> panic.
>
> Account XFRMA_IF_ID in the size calculation unconditionally and replace
> the BUG_ON with normal error unwinding.
>
> Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.")
> Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> Signed-off-by: Keenan Dong <keenanat2000@xxxxxxxxx>

Applied to the ipsec tree, thanks a lot!