git: a8d90e32133b - main - netlink: Fully clear parser state between messages
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 31 Jul 2025 10:07:03 UTC
The branch main has been updated by des:
URL: https://cgit.FreeBSD.org/src/commit/?id=a8d90e32133b77a49c2551f22e59f72d65293b64
commit a8d90e32133b77a49c2551f22e59f72d65293b64
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-07-31 10:06:47 +0000
Commit: Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-07-31 10:06:47 +0000
netlink: Fully clear parser state between messages
Failing to reset the cookie between messages can lead to an attempt
to interpret a zeroed buffer as a struct nlattr, causing a length
calculation to underflow, resulting in a memcpy() call where the
length exceeds the actual size of the buffer.
MFC after: 1 week
PR: 283797
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D51634
---
sys/netlink/netlink_io.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netlink/netlink_io.c b/sys/netlink/netlink_io.c
index ce323910af3f..e7908d6f3a44 100644
--- a/sys/netlink/netlink_io.c
+++ b/sys/netlink/netlink_io.c
@@ -308,6 +308,7 @@ static void
npt_clear(struct nl_pstate *npt)
{
lb_clear(&npt->lb);
+ npt->cookie = NULL;
npt->error = 0;
npt->err_msg = NULL;
npt->err_off = 0;