Date: Tue, 24 Feb 2026 16:01:35 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: d521badafdaa - releng/14.3 - rtsock: Fix stack overflow Message-ID: <699dcb5f.27b67.55dc77f8@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d521badafdaa846d46157185e3c87d5165aeaa59 commit d521badafdaa846d46157185e3c87d5165aeaa59 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-02-23 15:52:50 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-02-23 16:39:30 +0000 rtsock: Fix stack overflow Approved by: so Security: FreeBSD-SA-26:05.route Security: CVE-2026-3038 Fixes: 92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes") (cherry picked from commit cd00cd9f6ed4b6f6e6bb8ae168f2537968991b53) (cherry picked from commit f44d771c2c6c80f3fabd11d335964e1efdf50a21) --- sys/net/rtsock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 8b4e716a0508..cd4363f1c0ce 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1851,8 +1851,8 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int * #endif dlen = SA_SIZE(sa); if (cp != NULL && buflen >= dlen) { - KASSERT(dlen <= sizeof(ss), - ("%s: sockaddr size overflow", __func__)); + if (sa->sa_len > sizeof(ss)) + return (EINVAL); bzero(&ss, sizeof(ss)); bcopy(sa, &ss, sa->sa_len); sa = (struct sockaddr *)&ss;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?699dcb5f.27b67.55dc77f8>