Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 16 May 2026 21:22:06 +0000
From:      Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 2c6617658f0c - stable/15 - rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
Message-ID:  <6a08dffe.3f315.34bbd51a@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by pouria:

URL: https://cgit.FreeBSD.org/src/commit/?id=2c6617658f0cabb1e83a47da02882454e4210bd9

commit 2c6617658f0cabb1e83a47da02882454e4210bd9
Author:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
AuthorDate: 2026-05-12 11:34:28 +0000
Commit:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
CommitDate: 2026-05-16 21:21:50 +0000

    rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
    
    Fix length validation of RTA_MULTIPATH attributes in
    nlattr_get_multipath() by making sure the user request is align.
    
    PR:             295102
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    markj
    Fixes:          7e5bf68495cc ("netlink: add netlink support")
    MFC after:      3 days
    Differential Revision: https://reviews.freebsd.org/D56963
    
    (cherry picked from commit 4329663a861ef74796b79b6b0872cfe10d31c591)
---
 sys/netlink/route/rt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 4d7f676d2aec..7641417a8e77 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -452,8 +452,9 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
 	for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) {
 		struct rta_mpath_nh *mpnh;
 
+		len = NL_ITEM_ALIGN(rtnh->rtnh_len);
 		if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) ||
-		    rtnh->rtnh_len > data_len)) {
+		    len < rtnh->rtnh_len || len > data_len)) {
 			NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u",
 			    __func__, rtnh->rtnh_len);
 			return (EINVAL);
@@ -467,7 +468,6 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
 			    mp->num_nhops - 1);
 			return (error);
 		}
-		len = NL_ITEM_ALIGN(rtnh->rtnh_len);
 		data_len -= len;
 		rtnh = (struct rtnexthop *)((char *)rtnh + len);
 	}
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a08dffe.3f315.34bbd51a>