Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Jan 2024 04:52:14 GMT
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: d9b1f6fbf993 - main - netlink: fix bug with socket buffer character counter underflow
Message-ID:  <202401110452.40B4qEaU041682@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=d9b1f6fbf9935a9d54c78987a04af7cda3740c56

commit d9b1f6fbf9935a9d54c78987a04af7cda3740c56
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2024-01-11 04:51:53 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2024-01-11 04:51:53 +0000

    netlink: fix bug with socket buffer character counter underflow
    
    Cover case when an nb that we are now reading in full had been partially
    read by previous read(2) and now has positive offset.  Throw couple
    assertions that helped to catch that earlier.
---
 sys/netlink/netlink_domain.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/netlink/netlink_domain.c b/sys/netlink/netlink_domain.c
index 7ecafbf99d26..777aff43000a 100644
--- a/sys/netlink/netlink_domain.c
+++ b/sys/netlink/netlink_domain.c
@@ -744,6 +744,7 @@ nl_soreceive(struct socket *so, struct sockaddr **psa, struct uio *uio,
 		offset = nb->offset;
 		while (offset < nb->datalen) {
 			hdr = (struct nlmsghdr *)&nb->data[offset];
+			MPASS(nb->offset + hdr->nlmsg_len <= nb->datalen);
 			if (uio->uio_resid < len + hdr->nlmsg_len) {
 				overflow = len + hdr->nlmsg_len -
 				    uio->uio_resid;
@@ -784,7 +785,7 @@ nl_soreceive(struct socket *so, struct sockaddr **psa, struct uio *uio,
 			msgrcv++;
 		}
 		MPASS(offset == nb->datalen);
-		datalen += nb->datalen;
+		datalen += nb->datalen - nb->offset;
 	}
 nospace:
 	last = nb;
@@ -796,6 +797,7 @@ nospace:
 			TAILQ_FIRST(&sb->nl_queue) = last;
 			last->tailq.tqe_prev = &TAILQ_FIRST(&sb->nl_queue);
 		}
+		MPASS(sb->sb_acc >= datalen);
 		sb->sb_acc -= datalen;
 		sb->sb_ccc -= datalen;
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202401110452.40B4qEaU041682>