From: Steffen Klassert <steffen.klassert@secunet.com>
To: Xiang Mei <xmei5@asu.edu>
Cc: <herbert@gondor.apana.org.au>, <davem@davemloft.net>,
<nakam@linux-ipv6.org>, <edumazet@google.com>, <kuba@kernel.org>,
<pabeni@redhat.com>, <horms@kernel.org>, <netdev@vger.kernel.org>,
<bestswngs@gmail.com>
Subject: Re: [PATCH ipsec] xfrm6: fix out-of-bounds write in xfrm6_input_addr() when secpath is full
Date: Wed, 15 Jul 2026 12:12:50 +0200 [thread overview]
Message-ID: <alddIi8ArJ13ytSC@secunet.com> (raw)
In-Reply-To: <20260704210333.668216-1-xmei5@asu.edu>
On Sat, Jul 04, 2026 at 02:03:32PM -0700, Xiang Mei wrote:
> The depth check in xfrm6_input_addr() is off by one:
>
> if (1 + sp->len == XFRM_MAX_DEPTH)
> goto drop;
> ...
> sp->xvec[sp->len++] = x;
>
> xfrm_input() can leave sp->len == XFRM_MAX_DEPTH, and the transport-mode
> receive path re-enters IPv6 input via xfrm_trans_reinject() with that
> secpath preserved. If the inner packet carries a destination-options HAO
> option or a type-2 routing header, xfrm6_input_addr() is called with
> sp->len == XFRM_MAX_DEPTH; the check (1 + 6 == 6) is false, so
> sp->xvec[sp->len++] writes one slot past the 6-element xvec[]. The write
> stays within the sec_path allocation (invisible to KASAN); UBSAN_BOUNDS
> flags it and panics under panic_on_warn.
>
> Use "sp->len >= XFRM_MAX_DEPTH", matching xfrm_input(). This also
> restores one chain level the old check rejected at sp->len == 5.
>
> UBSAN: array-index-out-of-bounds in net/ipv6/xfrm6_input.c:309:10
> index 6 is out of range for type 'xfrm_state *[6]'
>
> Fixes: 9473e1f631de ("[XFRM] MIPv6: Fix to input RO state correctly.")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
Applied, thanks a lot!
prev parent reply other threads:[~2026-07-15 10:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-04 21:03 [PATCH ipsec] xfrm6: fix out-of-bounds write in xfrm6_input_addr() when secpath is full Xiang Mei
2026-07-15 10:12 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alddIi8ArJ13ytSC@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=nakam@linux-ipv6.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.