git: c9b5ce2422cc - stable/14 - rtnetlink: Check for allocation failure in nlattr_get_multipath()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 16 May 2026 21:33:03 UTC
The branch stable/14 has been updated by pouria:
URL: https://cgit.FreeBSD.org/src/commit/?id=c9b5ce2422cc1494a0dffee4c4e5864e39217472
commit c9b5ce2422cc1494a0dffee4c4e5864e39217472
Author: Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
AuthorDate: 2026-05-11 19:53:21 +0000
Commit: Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
CommitDate: 2026-05-16 21:28:30 +0000
rtnetlink: Check for allocation failure in nlattr_get_multipath()
Check for alloction failure on `npt_alloc()` for RTA_MULTIPATH
attributes in `nlattr_get_multipath()`.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56954
(cherry picked from commit 188631e43a1a5d2985156141c2e244a925670683)
(cherry picked from commit 3e2308d57080a2345e3db1139683368b504ee0bd)
---
sys/netlink/route/rt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 8e9203182d76..fac174e01efd 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -443,6 +443,10 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
max_nhops = data_len / sizeof(struct rtnexthop);
mp = npt_alloc(npt, (max_nhops + 2) * sizeof(struct rta_mpath_nh));
+ if (mp == NULL) {
+ NLMSG_REPORT_ERR_MSG(npt, "%s: too many RTA_MULTIPATH", __func__);
+ return (ENOMEM);
+ }
mp->num_nhops = 0;
for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) {