kernel-pfkey: Add some sanity checks when processing kernel events

author Tobias Brunner <tobias@strongswan.org>

Thu, 23 Apr 2026 13:12:12 +0000 (15:12 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 23 Apr 2026 13:21:45 +0000 (15:21 +0200)
author Tobias Brunner <tobias@strongswan.org>
Thu, 23 Apr 2026 13:12:12 +0000 (15:12 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 23 Apr 2026 13:21:45 +0000 (15:21 +0200)
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index abf85fdbd57c678e03a943308dc13e0778e90d26..5c95f8683be44ebe8fbbab80e5575ff4d27f530b 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1355,7 +1355,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
                 reqid = response.x_sa2->sadb_x_sa2_reqid;
                 mode = response.x_sa2->sadb_x_sa2_mode;
         }
                 reqid = response.x_sa2->sadb_x_sa2_reqid;
                 mode = response.x_sa2->sadb_x_sa2_mode;
         }
-       else
+       else if (response.x_policy)
         {
                 index = response.x_policy->sadb_x_policy_id;
                 this->mutex->lock(this->mutex);
         {
                 index = response.x_policy->sadb_x_policy_id;
                 this->mutex->lock(this->mutex);
@@ -1373,6 +1373,11 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
                 }
                 this->mutex->unlock(this->mutex);
         }
                 }
                 this->mutex->unlock(this->mutex);
         }
+       else
+       {
+               DBG1(DBG_KNL, "received SADB_ACQUIRE is missing required information");
+               return;
+       }
  
         if (reqid)
         {
  
         if (reqid)
         {
@@ -1384,7 +1389,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
                  * only useful in transport mode with wildcard policies. in tunnel mode,
                  * where narrowing could occur and the sequence number would be
                  * relevant, these TS are useless and might not even match the policy */
                  * only useful in transport mode with wildcard policies. in tunnel mode,
                  * where narrowing could occur and the sequence number would be
                  * relevant, these TS are useless and might not even match the policy */
-               if (mode == IPSEC_MODE_TRANSPORT)
+               if (mode == IPSEC_MODE_TRANSPORT && response.src && response.dst)
                 {
                         data.src = sadb_address2ts(response.src);
                         data.dst = sadb_address2ts(response.dst);
                 {
                         data.src = sadb_address2ts(response.src);
                         data.dst = sadb_address2ts(response.dst);
@@ -1416,12 +1421,17 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
                 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
                 return;
         }
                 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
                 return;
         }
+       if (!response.sa)
+       {
+               DBG1(DBG_KNL, "received SADB_EXPIRE is missing required information");
+               return;
+       }
  
         protocol = satype2proto(msg->sadb_msg_satype);
         spi = response.sa->sadb_sa_spi;
         hard = response.lft_hard != NULL;
  
  
         protocol = satype2proto(msg->sadb_msg_satype);
         spi = response.sa->sadb_sa_spi;
         hard = response.lft_hard != NULL;
  
-       if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
+       if ((protocol == IPPROTO_ESP || protocol == IPPROTO_AH) && response.dst)
         {
                 dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
                 if (dst)
         {
                 dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
                 if (dst)
@@ -1452,6 +1462,11 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this,
                 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
                 return;
         }
                 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
                 return;
         }
+       if (!response.src || !response.dst || !response.x_policy)
+       {
+               DBG1(DBG_KNL, "received SADB_X_MIGRATE is missing required information");
+               return;
+       }
         src_ts = sadb_address2ts(response.src);
         dst_ts = sadb_address2ts(response.dst);
         dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
         src_ts = sadb_address2ts(response.src);
         dst_ts = sadb_address2ts(response.dst);
         dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
author	Tobias Brunner <tobias@strongswan.org>
	Thu, 23 Apr 2026 13:12:12 +0000 (15:12 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 23 Apr 2026 13:21:45 +0000 (15:21 +0200)