git: e924a2c80b9e - main - netlink: fix unsigned overflow on a truncated message
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 May 2026 14:29:40 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=e924a2c80b9e1ace68d8ca0ffdacec65feec90a3
commit e924a2c80b9e1ace68d8ca0ffdacec65feec90a3
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2026-05-20 14:27:52 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2026-05-20 14:27:52 +0000
netlink: fix unsigned overflow on a truncated message
PR: 295106
Submitted by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: pouria, melifaro
Differential Revision: https://reviews.freebsd.org/D56916
---
sys/netlink/netlink_message_parser.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys/netlink/netlink_message_parser.h b/sys/netlink/netlink_message_parser.h
index 8f61091c4a7f..c747f301059c 100644
--- a/sys/netlink/netlink_message_parser.h
+++ b/sys/netlink/netlink_message_parser.h
@@ -315,6 +315,12 @@ static inline void
nl_get_attrs_bmask_nlmsg(struct nlmsghdr *hdr,
const struct nlhdr_parser *parser, struct nlattr_bmask *bm)
{
+ if (__predict_false(hdr->nlmsg_len - sizeof(struct nlmsghdr) <
+ parser->nl_hdr_off)) {
+ /* Doesn't make sense to call nl_alloc_compat_hdr() here. */
+ BIT_ZERO(NL_ATTR_BMASK_SIZE, bm);
+ return;
+ }
nl_get_attrs_bmask_raw(
(struct nlattr *)((char *)(hdr + 1) + parser->nl_hdr_off),
hdr->nlmsg_len - sizeof(*hdr) - parser->nl_hdr_off, bm);