Date: Wed, 6 Aug 2025 15:32:24 GMT From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 627831eba3de - stable/14 - netlink: Fully clear parser state between messages Message-ID: <202508061532.576FWOJT047920@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=627831eba3deb2644edc2b92c4ce8365321b8930 commit 627831eba3deb2644edc2b92c4ce8365321b8930 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2025-07-31 10:06:47 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2025-08-06 13:52:12 +0000 netlink: Fully clear parser state between messages Failing to reset the cookie between messages can lead to an attempt to interpret a zeroed buffer as a struct nlattr, causing a length calculation to underflow, resulting in a memcpy() call where the length exceeds the actual size of the buffer. MFC after: 1 week PR: 283797 Reviewed by: glebius Differential Revision: https://reviews.freebsd.org/D51634 (cherry picked from commit a8d90e32133b77a49c2551f22e59f72d65293b64) --- sys/netlink/netlink_io.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netlink/netlink_io.c b/sys/netlink/netlink_io.c index 0ca71fb6219b..c6827c76c623 100644 --- a/sys/netlink/netlink_io.c +++ b/sys/netlink/netlink_io.c @@ -520,6 +520,7 @@ static void npt_clear(struct nl_pstate *npt) { lb_clear(&npt->lb); + npt->cookie = NULL; npt->error = 0; npt->err_msg = NULL; npt->err_off = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202508061532.576FWOJT047920>