[PATCH iproute2] ss: fix vsock port filter

[PATCH iproute2] ss: fix vsock port filter

[Luigi Leonardi]

parse_hostcond() uses get_u32() to parse the vsock port into the
aafilter.port field, which is a long. On 64-bit systems, get_u32()
only writes the lower 32 bits, leaving the upper 32 bits set from
the -1 initialization. This causes the port comparison
"a->port != s->rport" in run_ssfilter() to always fail, since the
corrupted long value never matches the int rport.

Fix by using get_long() instead, consistent with how AF_PACKET and
AF_NETLINK handle the same field.

Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
---
 misc/ss.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/ss.c b/misc/ss.c
index 14e9f27a..6e3321ac 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -2323,7 +2323,7 @@ void *parse_hostcond(char *addr, bool is_port)
 		port = find_port(addr, is_port);
 
 		if (port && strcmp(port, "*") &&
-		    get_u32((__u32 *)&a.port, port, 0))
+		    get_long(&a.port, port, 0))
 			return NULL;
 
 		if (!is_port && addr[0] && strcmp(addr, "*")) {

---
base-commit: e0517e612199cacaf2dc4d54cbed52deec640c94
change-id: 20260421-fix_vsock-40c2ef4928aa

Best regards,
-- 
Luigi Leonardi <leonardi@redhat.com>

Re: [PATCH iproute2] ss: fix vsock port filter

[Luigi Leonardi]

On Tue, Apr 21, 2026 at 02:35:12PM +0200, Luigi Leonardi wrote:
>parse_hostcond() uses get_u32() to parse the vsock port into the
>aafilter.port field, which is a long. On 64-bit systems, get_u32()
>only writes the lower 32 bits, leaving the upper 32 bits set from
>the -1 initialization. This causes the port comparison
>"a->port != s->rport" in run_ssfilter() to always fail, since the
>corrupted long value never matches the int rport.
>
>Fix by using get_long() instead, consistent with how AF_PACKET and
>AF_NETLINK handle the same field.
>
>Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
>Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
>---

Apparently this fixes `sport` but breaks `dport` filtering.
Will send a v2. Please ignore this patch.

Luigi

Re: [PATCH iproute2] ss: fix vsock port filter

[Stefano Garzarella]

On Tue, Apr 21, 2026 at 02:35:12PM +0200, Luigi Leonardi wrote:
>parse_hostcond() uses get_u32() to parse the vsock port into the
>aafilter.port field, which is a long. On 64-bit systems, get_u32()
>only writes the lower 32 bits, leaving the upper 32 bits set from
>the -1 initialization. This causes the port comparison
>"a->port != s->rport" in run_ssfilter() to always fail, since the
>corrupted long value never matches the int rport.
>
>Fix by using get_long() instead, consistent with how AF_PACKET and
>AF_NETLINK handle the same field.
>
>Fixes: c759116a0b2b ("ss: add AF_VSOCK support")

Can this more related to commit 012cb515 ("ss: change aafilter port from 
int to long (inode support)") ?

I don't know this code at all, just asking.

Stefano

>Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
>---
> misc/ss.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/misc/ss.c b/misc/ss.c
>index 14e9f27a..6e3321ac 100644
>--- a/misc/ss.c
>+++ b/misc/ss.c
>@@ -2323,7 +2323,7 @@ void *parse_hostcond(char *addr, bool is_port)
> 		port = find_port(addr, is_port);
>
> 		if (port && strcmp(port, "*") &&
>-		    get_u32((__u32 *)&a.port, port, 0))
>+		    get_long(&a.port, port, 0))
> 			return NULL;
>
> 		if (!is_port && addr[0] && strcmp(addr, "*")) {
>
>---
>base-commit: e0517e612199cacaf2dc4d54cbed52deec640c94
>change-id: 20260421-fix_vsock-40c2ef4928aa
>
>Best regards,
>-- 
>Luigi Leonardi <leonardi@redhat.com>
>

Re: [PATCH iproute2] ss: fix vsock port filter

[Luigi Leonardi]

On Tue, Apr 21, 2026 at 04:07:41PM +0200, Stefano Garzarella wrote:
>On Tue, Apr 21, 2026 at 02:35:12PM +0200, Luigi Leonardi wrote:
>>parse_hostcond() uses get_u32() to parse the vsock port into the
>>aafilter.port field, which is a long. On 64-bit systems, get_u32()
>>only writes the lower 32 bits, leaving the upper 32 bits set from
>>the -1 initialization. This causes the port comparison
>>"a->port != s->rport" in run_ssfilter() to always fail, since the
>>corrupted long value never matches the int rport.
>>
>>Fix by using get_long() instead, consistent with how AF_PACKET and
>>AF_NETLINK handle the same field.
>>
>>Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
>
>Can this more related to commit 012cb515 ("ss: change aafilter port 
>from int to long (inode support)") ?
>
>I don't know this code at all, just asking.
>
>Stefano

oh yes, you are right!

Luigi

Re: [PATCH iproute2] ss: fix vsock port filter

[Stephen Hemminger]

On Tue, 21 Apr 2026 14:35:12 +0200
Luigi Leonardi <leonardi@redhat.com> wrote:

> parse_hostcond() uses get_u32() to parse the vsock port into the
> aafilter.port field, which is a long. On 64-bit systems, get_u32()
> only writes the lower 32 bits, leaving the upper 32 bits set from
> the -1 initialization. This causes the port comparison
> "a->port != s->rport" in run_ssfilter() to always fail, since the
> corrupted long value never matches the int rport.
> 
> Fix by using get_long() instead, consistent with how AF_PACKET and
> AF_NETLINK handle the same field.
> 
> Fixes: c759116a0b2b ("ss: add AF_VSOCK support")
> Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
> ---
>  misc/ss.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/misc/ss.c b/misc/ss.c
> index 14e9f27a..6e3321ac 100644
> --- a/misc/ss.c
> +++ b/misc/ss.c
> @@ -2323,7 +2323,7 @@ void *parse_hostcond(char *addr, bool is_port)
>  		port = find_port(addr, is_port);
>  
>  		if (port && strcmp(port, "*") &&
> -		    get_u32((__u32 *)&a.port, port, 0))
> +		    get_long(&a.port, port, 0))
>  			return NULL;

If you use get_long() then the code could get negative values.
Actually have port in ss as signed value seems like a mistake in original design.

The port in unix domain socket is inode number.
Originally it was int, but got changed to long back in 6.6

The port in ss cache is int.

The ss code is one of those legacy dog piles that needs a major
overhaul and refactoring.