From nobody Wed May 13 11:26:32 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gFrl16d7vz6dDtw for ; Wed, 13 May 2026 11:26:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gFrl14fvqz3ZRx for ; Wed, 13 May 2026 11:26:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778671597; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5I3NOXC8XL68RKdET1nWduse8nArF9yxz4k2/POW5YM=; b=asemwWcJi0zKbeHFnDLtVRtJhHrYt7rMzEmrSHpIoTQ1z8k6p5q3jrWKwELg/GT5eZEE8i RK58IKQff/pzc//PvSjnFanv0/4PGbiq4UIfDvz2TLbN2fzpbpXic/qnPzUDnKEP6ww7h7 2NVM9ANEBUzpAXvaq8KoCM38x8Hlq20PThYELsPVrq15CF8/ov4jXI+/mY4fNd2OL0aghF a34+OTh4WfsKgYy01g6n++nQrpazoglTnsmylxLBfbG138gfzVeW1iQ/VG8Q3kHBRKAGNJ 9W+OiauLY7MTkDOycCI7Lqih9npBR/LHaEcr3J3sZeuH7N4BeRRoNsQ85+03zQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778671597; a=rsa-sha256; cv=none; b=UJolw7juYqBbks+hpPqKCD3eKVCrM3j0lqs//2XNJQwODqjIv69HbKZ4MebnFzFjG5/O4m 9npRTvIP7NuJ423S1JVhw2Jnd9TH9a+MO/eqc47d8Q+11zMYE5B6n3vBlIxLhEXybM8mwn wBRra7zNzxVnvyTC4DssaDgkZJ6HPdLk+gQE9DAFdSqll/KP9Djjeuq6j+YYZHTYUKxSdf 0tmGsPXZTgI+Cdm2A+X2P+L7eqVoEDUJZU9HPjtIu+oiSLrp8NBQjdqqQBUj3+6OCCyxzp XqB+I+0sJSDX2IBAxzzwJkf08iQMnmpvE3APzwUl6ko+FJ+wuKJv66k3XnZymQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778671597; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5I3NOXC8XL68RKdET1nWduse8nArF9yxz4k2/POW5YM=; b=MP50rGMEGZIKdEKBPlLoWCQ9G80mTe3z3wNwJRu4TMqkLSI8IOf4KRi1FqYghUPuuADXv4 T+yy12M2N4dVx1ic+arz37WuHhxvv1Q3LUZ4E/AwhqkCkWD3TkatZdyqnIgp10uJ/f0nM2 lq68qkUOJOEK0elAqDL70VvQ15IxxuJH+wUITZHa4/Hc4jumg1rCweZKYUuvDd2uc2jgsa K4fuWt7xukZQFzLraBC7c45gEEXuMCyNKvYYt6NlVXuWeq0YdGlqiw6eZLYZqPomZ4ShZu 9wG5JyrtSYe3SamR27FDy7zoo36PX3iG5aKki4sAIGsMamsObNSI3aIniSvDFQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gFrl141GCzpQh for ; Wed, 13 May 2026 11:26:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 43d94 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 13 May 2026 11:26:32 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Pouria Mousavizadeh Tehrani Subject: git: 188631e43a1a - main - rtnetlink: Check for allocation failure in nlattr_get_multipath() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: pouria X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 188631e43a1a5d2985156141c2e244a925670683 Auto-Submitted: auto-generated Date: Wed, 13 May 2026 11:26:32 +0000 Message-Id: <6a045fe8.43d94.6e31bd14@gitrepo.freebsd.org> The branch main has been updated by pouria: URL: https://cgit.FreeBSD.org/src/commit/?id=188631e43a1a5d2985156141c2e244a925670683 commit 188631e43a1a5d2985156141c2e244a925670683 Author: Pouria Mousavizadeh Tehrani AuthorDate: 2026-05-11 19:53:21 +0000 Commit: Pouria Mousavizadeh Tehrani CommitDate: 2026-05-13 09:44:19 +0000 rtnetlink: Check for allocation failure in nlattr_get_multipath() Check for alloction failure on `npt_alloc()` for RTA_MULTIPATH attributes in `nlattr_get_multipath()`. Also, add tests for maximum number of rtnexthop in rtnetlink. Reported by: Joshua Rogers of AISLE Research Team Reviewed by: markj MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D56954 --- sys/netlink/route/rt.c | 4 +++ tests/sys/netlink/test_rtnl_route.c | 55 +++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index cb2d737f34e3..4d7b0a3e1fa3 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -470,6 +470,10 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt, max_nhops = data_len / sizeof(struct rtnexthop); mp = npt_alloc(npt, (max_nhops + 2) * sizeof(struct rta_mpath_nh)); + if (mp == NULL) { + NLMSG_REPORT_ERR_MSG(npt, "%s: too many RTA_MULTIPATH", __func__); + return (ENOMEM); + } mp->num_nhops = 0; for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) { diff --git a/tests/sys/netlink/test_rtnl_route.c b/tests/sys/netlink/test_rtnl_route.c index 84d73db11cc7..334d1fea9fe9 100644 --- a/tests/sys/netlink/test_rtnl_route.c +++ b/tests/sys/netlink/test_rtnl_route.c @@ -18,6 +18,7 @@ #include #include +#include #include #include @@ -310,12 +311,66 @@ ATF_TC_BODY(rtnl_nhgrp_expire, tc) cleanup_route_by_dst(&ss, &nw, "203.0.113.0"); } +ATF_TC(rtnl_nhgrp_big_nhops); +ATF_TC_HEAD(rtnl_nhgrp_big_nhops, tc) +{ + atf_tc_set_md_var(tc, "descr", "test RTA_MULTIPATH with too many nhops using netlink"); + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.kmods", "netlink"); +} + +ATF_TC_BODY(rtnl_nhgrp_big_nhops, tc) +{ + struct snl_state ss; + struct snl_writer nw; + struct nlmsghdr *hdr, *rx_hdr; + struct in_addr gw; + struct snl_errmsg_data e = {}; + struct snl_parsed_route r = { .rtax_weight = RT_DEFAULT_WEIGHT }; + struct rtmsg *rtm; + struct rtnexthop *rtnh; + int nhop, max_nhop, off, off2; + + max_nhop = 25; + ATF_REQUIRE_MSG(snl_init(&ss, NETLINK_ROUTE), "snl_init() failed"); + + inet_pton(AF_INET, "127.0.2.1", &gw); + + /* create new multipath route */ + snl_init_writer(&ss, &nw); + ATF_REQUIRE((hdr = snl_create_msg_request(&nw, RTM_NEWROUTE)) != NULL); + hdr->nlmsg_flags |= NLM_F_CREATE; + ATF_REQUIRE((rtm = prepare_rtm_by_dst(&nw, "203.0.113.0")) != NULL); + + off = snl_add_msg_attr_nested(&nw, RTA_MULTIPATH); + for (nhop = 0; nhop < max_nhop; nhop++) { + off2 = snl_get_msg_offset(&nw); + rtnh = snl_reserve_msg_object(&nw, struct rtnexthop); + rtnh->rtnh_flags = 0; + rtnh->rtnh_hops = nhop + 1; + rtnh->rtnh_ifindex = 0; + snl_add_msg_attr_ip4(&nw, RTA_GATEWAY, &gw); + rtnh = snl_restore_msg_offset(&nw, off2, struct rtnexthop); + rtnh->rtnh_len = snl_get_msg_offset(&nw) - off2; + } + snl_end_attr_nested(&nw, off); + + ATF_REQUIRE((hdr = snl_finalize_msg(&nw)) != NULL); + ATF_REQUIRE(snl_send_message(&ss, hdr)); + ATF_REQUIRE((rx_hdr = snl_read_reply(&ss, hdr->nlmsg_seq)) != NULL); + ATF_REQUIRE(snl_parse_errmsg(&ss, rx_hdr, &e)); + ATF_REQUIRE_INTEQ(e.error, ENOMEM); + + cleanup_route_by_dst(&ss, &nw, "203.0.113.0"); +} + ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, rtnl_nhgrp); ATF_TP_ADD_TC(tp, rtnl_nhgrp_expire); ATF_TP_ADD_TC(tp, rtnl_nhop_merge); + ATF_TP_ADD_TC(tp, rtnl_nhgrp_big_nhops); return (atf_no_error()); }