Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Sep 2025 21:13:01 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 375527545c85 - main - ng_parse: Add upper bound to avoid possible overflow
Message-ID:  <202509012113.581LD1x7020036@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=375527545c85362f14070d35575f9bcd7092f4b9

commit 375527545c85362f14070d35575f9bcd7092f4b9
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-08-25 14:25:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-09-01 21:12:45 +0000

    ng_parse: Add upper bound to avoid possible overflow
    
    Also move num initialization for clarity.
    
    We still need to check num in ng_unparse_composite (reported by des@ in
    D52151) but this is another incremental improvement in netgraph input
    validation.
    
    Reviewed by:    des
    PR:             267334
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D52151
---
 sys/netgraph/ng_parse.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netgraph/ng_parse.c b/sys/netgraph/ng_parse.c
index 448ecc92f075..5e1a1bb47ac0 100644
--- a/sys/netgraph/ng_parse.c
+++ b/sys/netgraph/ng_parse.c
@@ -1199,14 +1199,14 @@ ng_parse_composite(const struct ng_parse_type *type, const char *s,
 	int *off, const u_char *const start, u_char *const buf, int *buflen,
 	const enum comptype ctype)
 {
-	const int num = ng_get_composite_len(type, start, buf, ctype);
 	int nextIndex = 0;		/* next implicit array index */
 	u_int index;			/* field or element index */
 	int *foff;			/* field value offsets in string */
 	int align, len, blen, error = 0;
 
 	/* Initialize */
-	if (num < 0)
+	const int num = ng_get_composite_len(type, start, buf, ctype);
+	if (num < 0 || num > INT_MAX / sizeof(*foff))
 		return (EINVAL);
 	foff = malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT | M_ZERO);
 	if (foff == NULL) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509012113.581LD1x7020036>