From: Steffen Klassert <steffen.klassert@secunet.com>
To: Xiang Mei <xmei5@asu.edu>
Cc: <herbert@gondor.apana.org.au>, <davem@davemloft.net>,
<nakam@linux-ipv6.org>, <edumazet@google.com>, <kuba@kernel.org>,
<pabeni@redhat.com>, <horms@kernel.org>, <netdev@vger.kernel.org>,
<bestswngs@gmail.com>
Subject: Re: [PATCH ipsec] xfrm6: fix out-of-bounds write in xfrm6_input_addr() when secpath is full
Date: Wed, 15 Jul 2026 12:12:50 +0200 [thread overview]
Message-ID: <alddIi8ArJ13ytSC@secunet.com> (raw)
In-Reply-To: <20260704210333.668216-1-xmei5@asu.edu>
On Sat, Jul 04, 2026 at 02:03:32PM -0700, Xiang Mei wrote:
> The depth check in xfrm6_input_addr() is off by one:
>
> if (1 + sp->len == XFRM_MAX_DEPTH)
> goto drop;
> ...
> sp->xvec[sp->len++] = x;
>
> xfrm_input() can leave sp->len == XFRM_MAX_DEPTH, and the transport-mode
> receive path re-enters IPv6 input via xfrm_trans_reinject() with that
> secpath preserved. If the inner packet carries a destination-options HAO
> option or a type-2 routing header, xfrm6_input_addr() is called with
> sp->len == XFRM_MAX_DEPTH; the check (1 + 6 == 6) is false, so
> sp->xvec[sp->len++] writes one slot past the 6-element xvec[]. The write
> stays within the sec_path allocation (invisible to KASAN); UBSAN_BOUNDS
> flags it and panics under panic_on_warn.
>
> Use "sp->len >= XFRM_MAX_DEPTH", matching xfrm_input(). This also
> restores one chain level the old check rejected at sp->len == 5.
>
> UBSAN: array-index-out-of-bounds in net/ipv6/xfrm6_input.c:309:10
> index 6 is out of range for type 'xfrm_state *[6]'
>
> Fixes: 9473e1f631de ("[XFRM] MIPv6: Fix to input RO state correctly.")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
Applied, thanks a lot!
next prev parent reply other threads:[~2026-07-15 10:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-04 21:03 [PATCH ipsec] xfrm6: fix out-of-bounds write in xfrm6_input_addr() when secpath is full Xiang Mei
2026-07-15 10:12 ` Steffen Klassert [this message]
2026-07-15 18:08 ` Xiang Mei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alddIi8ArJ13ytSC@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=nakam@linux-ipv6.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox