Commit 7081d46d authored Mar 26, 2026 by Keenan Dong Committed by Steffen Klassert Mar 30, 2026

xfrm: account XFRMA_IF_ID in aevent size calculation



xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
set.

xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
panic.

Account XFRMA_IF_ID in the size calculation unconditionally and replace
the BUG_ON with normal error unwinding.

Fixes: 7e652640 ("xfrm: Add a new lookup key to match xfrm interfaces.")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 71a98248

net/xfrm/xfrm_user.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -2677,7 +2677,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x)
		+ nla_total_size(4) /* XFRM_AE_RTHR */
		+ nla_total_size(4) /* XFRM_AE_ETHR */
		+ nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */
		+ nla_total_size(4); /* XFRMA_SA_PCPU */
		+ nla_total_size(4) /* XFRMA_SA_PCPU */
		+ nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */
		}

		static int build_aevent(struct sk_buff skb, struct xfrm_state x, const struct km_event *c)
		@@ -2789,7 +2790,12 @@ static int xfrm_get_ae(struct sk_buff skb, struct nlmsghdr nlh,
		c.portid = nlh->nlmsg_pid;

		err = build_aevent(r_skb, x, &c);
		BUG_ON(err < 0);
		if (err < 0) {
		spin_unlock_bh(&x->lock);
		xfrm_state_put(x);
		kfree_skb(r_skb);
		return err;
		}

		err = nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, NETLINK_CB(skb).portid);
		spin_unlock_bh(&x->lock);