git: df932377e7dd - stable/15 - rtsock: Fix stack overflow

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 24 Feb 2026 16:00:26 UTC 
The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=df932377e7dd7dc536fa14612d9e80aa3554772e

commit df932377e7dd7dc536fa14612d9e80aa3554772e
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-02-23 15:52:50 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-02-24 16:00:21 +0000

    rtsock: Fix stack overflow
    
    Approved by:    so
    Security:       FreeBSD-SA-26:05.route
    Security:       CVE-2026-3038
    Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")
    
    (cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
---
 sys/net/rtsock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index be858428bb3e..de4c3f8c6374 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1866,8 +1866,8 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int *
 #endif
 			dlen = SA_SIZE(sa);
 		if (cp != NULL && buflen >= dlen) {
-			KASSERT(dlen <= sizeof(ss),
-			    ("%s: sockaddr size overflow", __func__));
+			if (sa->sa_len > sizeof(ss))
+				return (EINVAL);
 			bzero(&ss, sizeof(ss));
 			bcopy(sa, &ss, sa->sa_len);
 			sa = (struct sockaddr *)&ss;