git: 44be923a2b6b - stable/14 - rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get

From: Pouria Mousavizadeh Tehrani <pouria_at_FreeBSD.org>
Date: Sat, 16 May 2026 21:33:02 UTC 
The branch stable/14 has been updated by pouria:

URL: https://cgit.FreeBSD.org/src/commit/?id=44be923a2b6bacd664b7e87e486cccd6fcc7cbad

commit 44be923a2b6bacd664b7e87e486cccd6fcc7cbad
Author:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
AuthorDate: 2026-05-12 11:34:28 +0000
Commit:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
CommitDate: 2026-05-16 21:28:09 +0000

    rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
    
    Fix length validation of RTA_MULTIPATH attributes in
    nlattr_get_multipath() by making sure the user request is align.
    
    PR:             295102
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    markj
    Fixes:          7e5bf68495cc ("netlink: add netlink support")
    MFC after:      3 days
    Differential Revision: https://reviews.freebsd.org/D56963
    
    (cherry picked from commit 4329663a861ef74796b79b6b0872cfe10d31c591)
    (cherry picked from commit 2c6617658f0cabb1e83a47da02882454e4210bd9)
---
 sys/netlink/route/rt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 7a6ba6ef27c5..8e9203182d76 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -448,8 +448,9 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
 	for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) {
 		struct rta_mpath_nh *mpnh;
 
+		len = NL_ITEM_ALIGN(rtnh->rtnh_len);
 		if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) ||
-		    rtnh->rtnh_len > data_len)) {
+		    len < rtnh->rtnh_len || len > data_len)) {
 			NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u",
 			    __func__, rtnh->rtnh_len);
 			return (EINVAL);
@@ -463,7 +464,6 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
 			    mp->num_nhops - 1);
 			return (error);
 		}
-		len = NL_ITEM_ALIGN(rtnh->rtnh_len);
 		data_len -= len;
 		rtnh = (struct rtnexthop *)((char *)rtnh + len);
 	}