git: 375527545c85 - main - ng_parse: Add upper bound to avoid possible overflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Sep 2025 21:13:01 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=375527545c85362f14070d35575f9bcd7092f4b9
commit 375527545c85362f14070d35575f9bcd7092f4b9
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-08-25 14:25:13 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-09-01 21:12:45 +0000
ng_parse: Add upper bound to avoid possible overflow
Also move num initialization for clarity.
We still need to check num in ng_unparse_composite (reported by des@ in
D52151) but this is another incremental improvement in netgraph input
validation.
Reviewed by: des
PR: 267334
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52151
---
sys/netgraph/ng_parse.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/netgraph/ng_parse.c b/sys/netgraph/ng_parse.c
index 448ecc92f075..5e1a1bb47ac0 100644
--- a/sys/netgraph/ng_parse.c
+++ b/sys/netgraph/ng_parse.c
@@ -1199,14 +1199,14 @@ ng_parse_composite(const struct ng_parse_type *type, const char *s,
int *off, const u_char *const start, u_char *const buf, int *buflen,
const enum comptype ctype)
{
- const int num = ng_get_composite_len(type, start, buf, ctype);
int nextIndex = 0; /* next implicit array index */
u_int index; /* field or element index */
int *foff; /* field value offsets in string */
int align, len, blen, error = 0;
/* Initialize */
- if (num < 0)
+ const int num = ng_get_composite_len(type, start, buf, ctype);
+ if (num < 0 || num > INT_MAX / sizeof(*foff))
return (EINVAL);
foff = malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT | M_ZERO);
if (foff == NULL) {