Date: Wed, 20 May 2026 14:29:40 +0000 From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: e924a2c80b9e - main - netlink: fix unsigned overflow on a truncated message Message-ID: <6a0dc554.3cf56.4d406b96@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=e924a2c80b9e1ace68d8ca0ffdacec65feec90a3 commit e924a2c80b9e1ace68d8ca0ffdacec65feec90a3 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2026-05-20 14:27:52 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2026-05-20 14:27:52 +0000 netlink: fix unsigned overflow on a truncated message PR: 295106 Submitted by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: pouria, melifaro Differential Revision: https://reviews.freebsd.org/D56916 --- sys/netlink/netlink_message_parser.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netlink/netlink_message_parser.h b/sys/netlink/netlink_message_parser.h index 8f61091c4a7f..c747f301059c 100644 --- a/sys/netlink/netlink_message_parser.h +++ b/sys/netlink/netlink_message_parser.h @@ -315,6 +315,12 @@ static inline void nl_get_attrs_bmask_nlmsg(struct nlmsghdr *hdr, const struct nlhdr_parser *parser, struct nlattr_bmask *bm) { + if (__predict_false(hdr->nlmsg_len - sizeof(struct nlmsghdr) < + parser->nl_hdr_off)) { + /* Doesn't make sense to call nl_alloc_compat_hdr() here. */ + BIT_ZERO(NL_ATTR_BMASK_SIZE, bm); + return; + } nl_get_attrs_bmask_raw( (struct nlattr *)((char *)(hdr + 1) + parser->nl_hdr_off), hdr->nlmsg_len - sizeof(*hdr) - parser->nl_hdr_off, bm);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0dc554.3cf56.4d406b96>