git: 375527545c85 - main - ng_parse: Add upper bound to avoid possible overflow

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 01 Sep 2025 21:13:01 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=375527545c85362f14070d35575f9bcd7092f4b9

commit 375527545c85362f14070d35575f9bcd7092f4b9
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-08-25 14:25:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-09-01 21:12:45 +0000

    ng_parse: Add upper bound to avoid possible overflow
    
    Also move num initialization for clarity.
    
    We still need to check num in ng_unparse_composite (reported by des@ in
    D52151) but this is another incremental improvement in netgraph input
    validation.
    
    Reviewed by:    des
    PR:             267334
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D52151
---
 sys/netgraph/ng_parse.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netgraph/ng_parse.c b/sys/netgraph/ng_parse.c
index 448ecc92f075..5e1a1bb47ac0 100644
--- a/sys/netgraph/ng_parse.c
+++ b/sys/netgraph/ng_parse.c
@@ -1199,14 +1199,14 @@ ng_parse_composite(const struct ng_parse_type *type, const char *s,
 	int *off, const u_char *const start, u_char *const buf, int *buflen,
 	const enum comptype ctype)
 {
-	const int num = ng_get_composite_len(type, start, buf, ctype);
 	int nextIndex = 0;		/* next implicit array index */
 	u_int index;			/* field or element index */
 	int *foff;			/* field value offsets in string */
 	int align, len, blen, error = 0;
 
 	/* Initialize */
-	if (num < 0)
+	const int num = ng_get_composite_len(type, start, buf, ctype);
+	if (num < 0 || num > INT_MAX / sizeof(*foff))
 		return (EINVAL);
 	foff = malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT | M_ZERO);
 	if (foff == NULL) {