[PATCH net v2] netlabel: validate unlabeled mask attribute length
Paul Moore
paul at paul-moore.com
Tue Jun 2 02:25:44 UTC 2026
On Wed, May 27, 2026 at 9:59 PM Chenguang Zhao <zhaochenguang at kylinos.cn> wrote:
>
> netlbl_unlabel_addrinfo_get() checked the address length
> but allowed shorter mask attributes to pass through to
> fixed-size address reads.
>
> netlbl_unlabel_addrinfo_get() only rejected a mask
> length mismatch when the address attribute length
> was also invalid. A crafted Generic Netlink request
> could therefore provide a valid IPv4/IPv6 address
> attribute with a shorter mask attribute.
>
> NLA_BINARY policy lengths are maximum lengths,
> not exact lengths, so the short mask can pass
> policy validation. The mask is later read as
> a full struct in_addr or struct in6_addr.
> Require both address and mask attributes to
> have the exact expected size.
>
> Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections")
> Signed-off-by: Chenguang Zhao <zhaochenguang at kylinos.cn>
> ---
> v2:
> - Adjust commit message
> - Add Fixes and 'net' subject prefix.
> v1:
> https://lore.kernel.org/all/20260522054521.1169755-1-zhaochenguang@kylinos.cn/
> ---
> net/netlabel/netlabel_unlabeled.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
Looks good to me, thanks!
Acked-by: Paul Moore <paul at paul-moore.com>
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list