From nobody Mon Mar 31 17:31:40 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZRJ8Y2gvJz5sL19; Mon, 31 Mar 2025 17:31:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZRJ8Y0gglz3cwp; Mon, 31 Mar 2025 17:31:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743442301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yA/IhFwEcr90Y8QbhQJojJeHTb8yKc4zxrH1IlcFyHU=; b=Uxfb+cC73Kzi6YolyKYH77H+0syhX1CQik9tVoHgFL6tvXuCo53layh1aHb2CCvxI8zcPN yrYGFGW31rfrY9hvxZQ5EGcUq4Z7q2mKAEGOp9owcMhYy0jpi8G4R/V8kTbhiGxDT2dFHS 2N7tL1LG60ou94Aky3QzFSDfg74TqQlGX0vr3s4WUh+hfmpzcOjlcoKq4/piEZ8E+S3N8C o05AVsZ97O6uJbfIu88yL7HSXeihl+fP3nsiDo16T84naXIsv17URUa05RyrQ+Pp1gsdXz OOvJ5JwYlFOY8ZxolqElC3+quw1A6zb8R3C2LyjVGD70mPbhlZUjzhiF5qFv6A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1743442301; a=rsa-sha256; cv=none; b=MjX+Qr6xsKXpRvN7Dci1RSwoxEKNVn660AYJKcULApWNxPvOGxYunIDokl0ZNHldjwfYP3 LsdC2SvIrtDq4vDQdayuF9zaqa1QBBhRujprfmksi/IqsG3YW7tWFe3ZWqvZ2OLhdkDWFU BSS+gje0LAKUjaVTzSxb5rysQzUVjKnT0z6s1yBIoHc9lbUJX0yhaVQuCj3kCYUcEOey9p XnxWl5MYtscQOFbVPaHvXDRNyjcsBF59KC8lawbBl7+1SlzGXAj0az0vzMhET+FTADvu3Z DbvXW1CC7Yq6CGdphNMi0Oxd2vktbj6tkKrw7edZ5T7z6XCjRtOc+8lUqcQYsg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743442301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yA/IhFwEcr90Y8QbhQJojJeHTb8yKc4zxrH1IlcFyHU=; b=fQV/r6F+kIuLectP+ZHT2GLHy/fLW1XheBxKNEgkCriTu4MHaf03tyL/UtKMZW99tn54sx /2wr5rp8b6899vJZlhJ7cDfNPagZhULY3bEKT2/dhE97GxzTxDhKwGUFQyPVYcYY7+jBmn BpsGAf9ls9OInIamtZgt7oTvYEiwJOB0PkpwkGuAfmvRmTDgBtq1eOhFx0Bvpyhd0tA8er aXHuaQuY93fh1q7zNLkaLih1ltoPvEB0ZBSyPxQTbz//Rj3msCn4WEMShIa6eqOZbJBUGl AivPhbURb32fGgv5w+2mCYXLHtB+al8xDNJVOWT2Fj9vZXk30421oEAnJAmrjQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZRJ8X6c1YzvLP; Mon, 31 Mar 2025 17:31:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52VHVeGj036697; Mon, 31 Mar 2025 17:31:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52VHVetf036694; Mon, 31 Mar 2025 17:31:40 GMT (envelope-from git) Date: Mon, 31 Mar 2025 17:31:40 GMT Message-Id: <202503311731.52VHVetf036694@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gleb Smirnoff Subject: git: e215460dae3a - stable/14 - netlink/route: fix nlattr_get_multipath() to check length List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e215460dae3a8ff00ed0e78f978425464da36a3e Auto-Submitted: auto-generated The branch stable/14 has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=e215460dae3a8ff00ed0e78f978425464da36a3e commit e215460dae3a8ff00ed0e78f978425464da36a3e Author: Gleb Smirnoff AuthorDate: 2025-01-29 18:22:46 +0000 Commit: Gleb Smirnoff CommitDate: 2025-03-31 17:31:21 +0000 netlink/route: fix nlattr_get_multipath() to check length of supplied nexthop sub-attributes. While here, use unsigned types for length calculations and improve style(9). PR: 283860 (cherry picked from commit 49a6e213416b5c0c9eccdff0af1c6b01f34c3693) --- sys/netlink/route/rt.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 679260e54322..410b1b04b6fc 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -425,33 +425,45 @@ post_p_rtnh(void *_attrs, struct nl_pstate *npt __unused) NL_DECLARE_PARSER_EXT(mpath_parser, struct rtnexthop, NULL, nlf_p_rtnh, nla_p_rtnh, post_p_rtnh); struct rta_mpath { - int num_nhops; + u_int num_nhops; struct rta_mpath_nh nhops[0]; }; static int -nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target) +nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt, + const void *arg, void *target) { - int data_len = nla->nla_len - sizeof(struct nlattr); + struct rta_mpath *mp; struct rtnexthop *rtnh; + uint16_t data_len, len; + u_int max_nhops; + int error; - int max_nhops = data_len / sizeof(struct rtnexthop); + data_len = nla->nla_len - sizeof(struct nlattr); + max_nhops = data_len / sizeof(struct rtnexthop); - struct rta_mpath *mp = npt_alloc(npt, (max_nhops + 2) * sizeof(struct rta_mpath_nh)); + mp = npt_alloc(npt, (max_nhops + 2) * sizeof(struct rta_mpath_nh)); mp->num_nhops = 0; for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) { - struct rta_mpath_nh *mpnh = &mp->nhops[mp->num_nhops++]; + struct rta_mpath_nh *mpnh; - int error = nl_parse_header(rtnh, rtnh->rtnh_len, &mpath_parser, + if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) || + rtnh->rtnh_len > data_len)) { + NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u", + __func__, rtnh->rtnh_len); + return (EINVAL); + } + mpnh = &mp->nhops[mp->num_nhops++]; + error = nl_parse_header(rtnh, rtnh->rtnh_len, &mpath_parser, npt, mpnh); if (error != 0) { - NLMSG_REPORT_ERR_MSG(npt, "RTA_MULTIPATH: nexhop %d: parse failed", + NLMSG_REPORT_ERR_MSG(npt, + "RTA_MULTIPATH: nexthop %u: parse failed", mp->num_nhops - 1); return (error); } - - int len = NL_ITEM_ALIGN(rtnh->rtnh_len); + len = NL_ITEM_ALIGN(rtnh->rtnh_len); data_len -= len; rtnh = (struct rtnexthop *)((char *)rtnh + len); }