[PATCH iproute2] ss: fix vsock port filter

[PATCH iproute2] ss: fix vsock port filter

[Luigi Leonardi]

parse_hostcond() uses get_u32() to parse the vsock port into the
aafilter.port field, which is a long. On 64-bit systems, get_u32()
only writes the lower 32 bits, leaving the upper 32 bits set from
the -1 initialization. This causes the port comparison
"a->port != s->rport" in run_ssfilter() to always fail, since the
corrupted long value never matches the int rport.

Fix by using get_long() instead, consistent with how AF_PACKET and
AF_NETLINK handle the same field.

Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
---
 misc/ss.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/ss.c b/misc/ss.c
index 14e9f27a..6e3321ac 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -2323,7 +2323,7 @@ void *parse_hostcond(char *addr, bool is_port)
 		port = find_port(addr, is_port);
 
 		if (port && strcmp(port, "*") &&
-		    get_u32((__u32 *)&a.port, port, 0))
+		    get_long(&a.port, port, 0))
 			return NULL;
 
 		if (!is_port && addr[0] && strcmp(addr, "*")) {

---
base-commit: e0517e612199cacaf2dc4d54cbed52deec640c94
change-id: 20260421-fix_vsock-40c2ef4928aa

Best regards,
-- 
Luigi Leonardi <leonardi@redhat.com>

Re: [PATCH iproute2] ss: fix vsock port filter

[Luigi Leonardi]

On Tue, Apr 21, 2026 at 02:35:12PM +0200, Luigi Leonardi wrote:
>parse_hostcond() uses get_u32() to parse the vsock port into the
>aafilter.port field, which is a long. On 64-bit systems, get_u32()
>only writes the lower 32 bits, leaving the upper 32 bits set from
>the -1 initialization. This causes the port comparison
>"a->port != s->rport" in run_ssfilter() to always fail, since the
>corrupted long value never matches the int rport.
>
>Fix by using get_long() instead, consistent with how AF_PACKET and
>AF_NETLINK handle the same field.
>
>Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
>Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
>---

Apparently this fixes `sport` but breaks `dport` filtering.
Will send a v2. Please ignore this patch.

Luigi

Re: [PATCH iproute2] ss: fix vsock port filter

[Stefano Garzarella]

On Tue, Apr 21, 2026 at 02:35:12PM +0200, Luigi Leonardi wrote:
>parse_hostcond() uses get_u32() to parse the vsock port into the
>aafilter.port field, which is a long. On 64-bit systems, get_u32()
>only writes the lower 32 bits, leaving the upper 32 bits set from
>the -1 initialization. This causes the port comparison
>"a->port != s->rport" in run_ssfilter() to always fail, since the
>corrupted long value never matches the int rport.
>
>Fix by using get_long() instead, consistent with how AF_PACKET and
>AF_NETLINK handle the same field.
>
>Fixes: c759116a0b2b ("ss: add AF_VSOCK support")

Can this more related to commit 012cb515 ("ss: change aafilter port from 
int to long (inode support)") ?

I don't know this code at all, just asking.

Stefano

>Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
>---
> misc/ss.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/misc/ss.c b/misc/ss.c
>index 14e9f27a..6e3321ac 100644
>--- a/misc/ss.c
>+++ b/misc/ss.c
>@@ -2323,7 +2323,7 @@ void *parse_hostcond(char *addr, bool is_port)
> 		port = find_port(addr, is_port);
>
> 		if (port && strcmp(port, "*") &&
>-		    get_u32((__u32 *)&a.port, port, 0))
>+		    get_long(&a.port, port, 0))
> 			return NULL;
>
> 		if (!is_port && addr[0] && strcmp(addr, "*")) {
>
>---
>base-commit: e0517e612199cacaf2dc4d54cbed52deec640c94
>change-id: 20260421-fix_vsock-40c2ef4928aa
>
>Best regards,
>-- 
>Luigi Leonardi <leonardi@redhat.com>
>

Re: [PATCH iproute2] ss: fix vsock port filter

[Luigi Leonardi]

On Tue, Apr 21, 2026 at 04:07:41PM +0200, Stefano Garzarella wrote:
>On Tue, Apr 21, 2026 at 02:35:12PM +0200, Luigi Leonardi wrote:
>>parse_hostcond() uses get_u32() to parse the vsock port into the
>>aafilter.port field, which is a long. On 64-bit systems, get_u32()
>>only writes the lower 32 bits, leaving the upper 32 bits set from
>>the -1 initialization. This causes the port comparison
>>"a->port != s->rport" in run_ssfilter() to always fail, since the
>>corrupted long value never matches the int rport.
>>
>>Fix by using get_long() instead, consistent with how AF_PACKET and
>>AF_NETLINK handle the same field.
>>
>>Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
>
>Can this more related to commit 012cb515 ("ss: change aafilter port 
>from int to long (inode support)") ?
>
>I don't know this code at all, just asking.
>
>Stefano

oh yes, you are right!

Luigi