Commit 843064b0 authored May 04, 2026 by Kuniyuki Iwashima Committed by Martin KaFai Lau May 08, 2026

bpf: tcp: Fix type confusion in bpf_skc_to_tcp6_sock().



bpf_skc_to_tcp6_sock() only checks if sk->sk_protocol is IPPROTO_TCP
and sk->sk_family is AF_INET6, but RAW socket can bypass it:

  socket(AF_INET6, SOCK_RAW, IPPROTO_TCP)

Let's check sk->sk_type too.

Fixes: af7ec138 ("bpf: Add bpf_skc_to_tcp6_sock() helper")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20260504210610.180150-6-kuniyu@google.com

parent decb84b8

net/core/filter.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -11947,7 +11947,7 @@ BPF_CALL_1(bpf_skc_to_tcp6_sock, struct sock *, sk)
		*/
		BTF_TYPE_EMIT(struct tcp6_sock);
		if (sk && sk_fullsock(sk) && sk->sk_protocol == IPPROTO_TCP &&
		sk->sk_family == AF_INET6)
		sk->sk_type == SOCK_STREAM && sk->sk_family == AF_INET6)
		return (unsigned long)sk;

		return (unsigned long)NULL;