tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

When calling netlbl_conn_setattr(), addr->sa_family is used
to determine the function behavior. If sk is an IPv4 socket,
but the connect function is called with an IPv6 address,
the function calipso_sock_setattr() is triggered.
Inside this function, the following code is executed:

sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;

Since sk is an IPv4 socket, pinet6 is NULL, leading to a
null pointer dereference.

This patch fixes the issue by checking if inet6_sk(sk)
returns a NULL pointer before accessing pinet6.

Signed-off-by: Debin Zhu <mowenroot@163.com>
Signed-off-by: Bitao Ouyang <1985755126@qq.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Debin Zhu and committed by
Jakub Kicinski 078aabd5 acc4d5ff

+18 -3
+18 -3
net/ipv6/calipso.c
··· 1072 1072 struct ipv6_opt_hdr *hop; 1073 1073 int opt_len, len, ret_val = -ENOMSG, offset; 1074 1074 unsigned char *opt; 1075 - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); 1075 + struct ipv6_pinfo *pinfo = inet6_sk(sk); 1076 + struct ipv6_txoptions *txopts; 1076 1077 1078 + if (!pinfo) 1079 + return -EAFNOSUPPORT; 1080 + 1081 + txopts = txopt_get(pinfo); 1077 1082 if (!txopts || !txopts->hopopt) 1078 1083 goto done; 1079 1084 ··· 1130 1125 { 1131 1126 int ret_val; 1132 1127 struct ipv6_opt_hdr *old, *new; 1133 - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); 1128 + struct ipv6_pinfo *pinfo = inet6_sk(sk); 1129 + struct ipv6_txoptions *txopts; 1134 1130 1131 + if (!pinfo) 1132 + return -EAFNOSUPPORT; 1133 + 1134 + txopts = txopt_get(pinfo); 1135 1135 old = NULL; 1136 1136 if (txopts) 1137 1137 old = txopts->hopopt; ··· 1163 1153 static void calipso_sock_delattr(struct sock *sk) 1164 1154 { 1165 1155 struct ipv6_opt_hdr *new_hop; 1166 - struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); 1156 + struct ipv6_pinfo *pinfo = inet6_sk(sk); 1157 + struct ipv6_txoptions *txopts; 1167 1158 1159 + if (!pinfo) 1160 + return; 1161 + 1162 + txopts = txopt_get(pinfo); 1168 1163 if (!txopts || !txopts->hopopt) 1169 1164 goto done; 1170 1165