git: 8b476ffc4ea3 - stable/13 - rtsock: Fix stack overflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 24 Feb 2026 16:03:17 UTC
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=8b476ffc4ea3f82f758714fee0289209bc980782
commit 8b476ffc4ea3f82f758714fee0289209bc980782
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-02-23 15:52:50 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-02-24 16:03:14 +0000
rtsock: Fix stack overflow
Approved by: so
Security: FreeBSD-SA-26:05.route
Security: CVE-2026-3038
Fixes: 92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")
(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
---
sys/net/rtsock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index d78a60070615..24b9007a987f 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1885,8 +1885,8 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int *
#endif
dlen = SA_SIZE(sa);
if (cp != NULL && buflen >= dlen) {
- KASSERT(dlen <= sizeof(ss),
- ("%s: sockaddr size overflow", __func__));
+ if (sa->sa_len > sizeof(ss))
+ return (EINVAL);
bzero(&ss, sizeof(ss));
bcopy(sa, &ss, sa->sa_len);
sa = (struct sockaddr *)&ss;