Re: [PATCH net v2] net: af_key: initialize alg_key_len for IPComp states

Next message: Alice Ryhl: "[PATCH] rust_binder: update Process::node_refs to use SpinLock"
Previous message: Leon Hwang: "[PATCH bpf-next v5 5/9] bpftool: Generate skeleton for global percpu data"
In reply to: Zijing Yin: "[PATCH net v2] net: af_key: initialize alg_key_len for IPComp states"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sabrina Dubroca

Date: Mon Jun 08 2026 - 12:33:16 EST

note: fixes for IPsec should go to the "ipsec" tree, not net

2026-06-08, 07:44:41 -0700, Zijing Yin wrote:
> pfkey_msg2xfrm_state() handles the IPComp (SADB_X_SATYPE_IPCOMP) case by
> allocating x->calg and copying only the algorithm name:
>
> x->calg = kmalloc_obj(*x->calg);
> if (!x->calg) {
> err = -ENOMEM;
> goto out;
> }
> strcpy(x->calg->alg_name, a->name);
> x->props.calgo = sa->sadb_sa_encrypt;
>
> Unlike the authentication (x->aalg) and encryption (x->ealg) branches of
> the same function, the compression branch never initializes
> calg->alg_key_len. IPComp carries no key and the allocation only
> reserves sizeof(struct xfrm_algo) (i.e. no room for a key), so the field
> is left containing uninitialized slab data.
>
> calg->alg_key_len is later used as a length by xfrm_algo_clone() when an
> IPComp state is cloned during XFRM_MSG_MIGRATE:

The patch looks correct, but do we want to start fixing random bugs in
code that we're trying to get rid of and that nobody actually uses?

If we do, then:
Reviewed-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>

--
Sabrina