git: 0216ea8598af - main - netmap: check for possible out-of-bound write with options

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Vincenzo Maffione <vmaffione_at_FreeBSD.org>
Date: Wed, 29 Apr 2026 21:13:18 UTC

The branch main has been updated by vmaffione:

URL: https://cgit.FreeBSD.org/src/commit/?id=0216ea8598af7d4170a8660f48981fb12b7b1d67

commit 0216ea8598af7d4170a8660f48981fb12b7b1d67
Author:     Vincenzo Maffione <vmaffione@FreeBSD.org>
AuthorDate: 2026-04-29 20:59:17 +0000
Commit:     Vincenzo Maffione <vmaffione@FreeBSD.org>
CommitDate: 2026-04-29 21:13:09 +0000

    netmap: check for possible out-of-bound write with options
    
    Submitted by:   hari.thirusangu@sophos.com
    MFC after:      2 weeks
---
 sys/dev/netmap/netmap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c
index f531151fb656..6f79c2c45b39 100644
--- a/sys/dev/netmap/netmap.c
+++ b/sys/dev/netmap/netmap.c
@@ -3503,6 +3503,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
 		/* check optsz and nro_size to avoid for possible integer overflows of rqsz */
 		if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE)
 				|| (rqsz + optsz > NETMAP_REQ_MAXSIZE)
+				|| (p - ker + optsz > bufsz)
 				|| (optsz > 0 && rqsz + optsz <= rqsz)) {
 			error = EMSGSIZE;
 			goto out_restore;