xfrm: Fix NULL pointer dereference on policy lookup

klassert · klassert · commit b1e3a5607034 · 2021-03-24T10:00:24.000+01:00
When xfrm interfaces are used in combination with namespaces and ESP offload, we get a dst_entry NULL pointer dereference. This is because we don't have a dst_entry attached in the ESP offloading case and we need to do a policy lookup before the namespace transition. Fix this by expicit checking of skb_dst(skb) before accessing it. Fixes: f203b76 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
@@ -1097,7 +1097,7 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
 		return __xfrm_policy_check(sk, ndir, skb, family);
 
 	return	(!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
-		(skb_dst(skb)->flags & DST_NOPOLICY) ||
+		(skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
 		__xfrm_policy_check(sk, ndir, skb, family);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1097,7 +1097,7 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,`
`1097`	`1097`	`return __xfrm_policy_check(sk, ndir, skb, family);`
`1098`	`1098`
`1099`	`1099`	`return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) \|\|`
`1100`		`- (skb_dst(skb)->flags & DST_NOPOLICY) \|\|`
	`1100`	`+ (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) \|\|`
`1101`	`1101`	`__xfrm_policy_check(sk, ndir, skb, family);`
`1102`	`1102`	`}`
`1103`	`1103`