Re: [PATCH] net: ipv4: Potential null pointer dereference in cipso_v4_parsetag_enum

From: Simon Horman <horms@kernel.org>
Date: 2025-09-09 12:47:34

On Mon, Sep 08, 2025 at 04:03:15PM +0800, Chen Yufeng wrote:

While parsing CIPSO enumerated tags, secattr->flags is set to 
NETLBL_SECATTR_MLS_CAT even if secattr->attr.mls.cat is NULL.
If subsequent code attempts to access secattr->attr.mls.cat, 
it may lead to a null pointer dereference, causing a system crash.

To address this issue, we add a check to ensure that before setting
the NETLBL_SECATTR_MLS_CAT flag, secattr->attr.mls.cat is not NULL.

fixed code:

if (secattr->attr.mls.cat)
    secattr->flags |= NETLBL_SECATTR_MLS_CAT;

This patch is similar to eead1c2ea250("netlabel: cope with NULL catmap").

Nit: the preferred form for this citation is:

commit eead1c2ea250 ("netlabel: cope with NULL catmap")

i.e.

This patch is similar to commit eead1c2ea250 ("netlabel: cope with NULL
catmap").

quoted hunk ↗ jump to hunk

Signed-off-by: Chen Yufeng <redacted>
---
 net/ipv4/cipso_ipv4.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 740af8541d2f..2190333d78cb 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c

@@ -1339,8 +1339,8 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
 			netlbl_catmap_free(secattr->attr.mls.cat);
 			return ret_val;
 		}
-
-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+		if (secattr->attr.mls.cat)
+			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
 	}
 
 	return 0;

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help