Re: [PATCHSET IPSec 0/3] net: key: Fix address family validation and integer overflow in set_ipsecrequest

[Sabrina Dubroca <sd@queasysnail.net>]

2025-11-06, 21:56:55 +0800, clingfei wrote:
> From: Cheng Lingfei <clf700383@gmail.com>
> 
> Hi,
> 
> This patchset addresses a security issue in the PF_KEYv2 implementation where
> improper address family validation could lead to integer overflows and buffer
> calculation errors in the set_ipsecrequest() function.
> 
> The core problem stems from two interrelated issues:
> 
> 1. The `family` parameter in set_ipsecrequest() is declared as u8 but receives
>    a 16-bit value, causing truncation of the upper byte.
> 
> 2. pfkey_sockaddr_len() returns 0 for unsupported address families, but the
>    calling code doesn't properly validate this return value before using it in
>    size calculations, leading to potential integer overflows.
> 
> The patchset is structured as follows:
> 
> Patch 1/3: Corrects the type of the family argument from u8 to u16 to prevent
>            truncation of 16-bit address family values.
> 
> Patch 2/3: Adds proper validation for the return value of pfkey_sockaddr_len()
>            to catch unsupported address families early.
> 
> Patch 3/3: Enhances the error handling to ensure zero-length allocations are
>            properly rejected and adds appropriate error returns.
> 
> This series fixes the original issue introduced in:
> Fixes: 14ad6ed30a10 ("net: allow small head cache usage with large MAX_SKB_FRAGS values")

This doesn't seem right. It looks more like a mismatch between the
size computation done before allocating the skb and the space actually
needed, and commit 14ad6ed30a10 made the pre-existing bug more visible.

-- 
Sabrina