git: 4329663a861e - main - rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get

The branch main has been updated by pouria:

URL: https://cgit.FreeBSD.org/src/commit/?id=4329663a861ef74796b79b6b0872cfe10d31c591

commit 4329663a861ef74796b79b6b0872cfe10d31c591
Author:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
AuthorDate: 2026-05-12 11:34:28 +0000
Commit:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
CommitDate: 2026-05-13 09:44:28 +0000

    rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
    
    Fix length validation of RTA_MULTIPATH attributes in
    nlattr_get_multipath() by making sure the user request is align.
    
    PR:             295102
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    markj
    Fixes:          7e5bf68495cc ("netlink: add netlink support")
    MFC after:      3 days
    Differential Revision: https://reviews.freebsd.org/D56963
---
 sys/netlink/route/rt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 4d7b0a3e1fa3..dfc501e11299 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -479,8 +479,9 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
 	for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) {
 		struct rta_mpath_nh *mpnh;
 
+		len = NL_ITEM_ALIGN(rtnh->rtnh_len);
 		if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) ||
-		    rtnh->rtnh_len > data_len)) {
+		    len < rtnh->rtnh_len || len > data_len)) {
 			NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u",
 			    __func__, rtnh->rtnh_len);
 			return (EINVAL);
@@ -494,7 +495,6 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
 			    mp->num_nhops - 1);
 			return (error);
 		}
-		len = NL_ITEM_ALIGN(rtnh->rtnh_len);
 		data_len -= len;
 		rtnh = (struct rtnexthop *)((char *)rtnh + len);
 	}