Date: Thu, 31 Jul 2025 10:07:03 GMT From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a8d90e32133b - main - netlink: Fully clear parser state between messages Message-ID: <202507311007.56VA73qn067878@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=a8d90e32133b77a49c2551f22e59f72d65293b64 commit a8d90e32133b77a49c2551f22e59f72d65293b64 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2025-07-31 10:06:47 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2025-07-31 10:06:47 +0000 netlink: Fully clear parser state between messages Failing to reset the cookie between messages can lead to an attempt to interpret a zeroed buffer as a struct nlattr, causing a length calculation to underflow, resulting in a memcpy() call where the length exceeds the actual size of the buffer. MFC after: 1 week PR: 283797 Reviewed by: glebius Differential Revision: https://reviews.freebsd.org/D51634 --- sys/netlink/netlink_io.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netlink/netlink_io.c b/sys/netlink/netlink_io.c index ce323910af3f..e7908d6f3a44 100644 --- a/sys/netlink/netlink_io.c +++ b/sys/netlink/netlink_io.c @@ -308,6 +308,7 @@ static void npt_clear(struct nl_pstate *npt) { lb_clear(&npt->lb); + npt->cookie = NULL; npt->error = 0; npt->err_msg = NULL; npt->err_off = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507311007.56VA73qn067878>