git: 90d158c0cf25 - stable/11 - netgraph/ng_tag: permit variable length data
Lutz Donnerhacke
donner at FreeBSD.org
Mon Feb 1 14:08:07 UTC 2021
The branch stable/11 has been updated by donner:
URL: https://cgit.FreeBSD.org/src/commit/?id=90d158c0cf2598fde2ea1c7cd58909cf5a21c471
commit 90d158c0cf2598fde2ea1c7cd58909cf5a21c471
Author: Lutz Donnerhacke <donner at FreeBSD.org>
AuthorDate: 2021-01-02 13:58:17 +0000
Commit: Lutz Donnerhacke <donner at FreeBSD.org>
CommitDate: 2021-02-01 14:07:31 +0000
netgraph/ng_tag: permit variable length data
ng_tag(4) operate on arbitrary data of mbuf_tags(9). Those structures
are padded to the next multiple of the alignment by the compiler.
Hence a valid argument has be at most as long as the data received.
PR: 241462
Reviewed by: kp
Approved by: philip (mentor)
Differential Revision: https://reviews.freebsd.org/D22140
(cherry picked from commit 7c7c231c14246a709270bf3f3a4593208e84d01a)
---
sys/netgraph/ng_tag.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/sys/netgraph/ng_tag.c b/sys/netgraph/ng_tag.c
index 22d45a3174ad..1a9d44528a24 100644
--- a/sys/netgraph/ng_tag.c
+++ b/sys/netgraph/ng_tag.c
@@ -361,9 +361,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
hook_p hook;
/* Sanity check. */
- if (msg->header.arglen < sizeof(*hp)
- || msg->header.arglen !=
- NG_TAG_HOOKIN_SIZE(hp->tag_len))
+ if (msg->header.arglen < sizeof(*hp) ||
+ msg->header.arglen < NG_TAG_HOOKIN_SIZE(hp->tag_len))
ERROUT(EINVAL);
/* Find hook. */
@@ -383,9 +382,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
hook_p hook;
/* Sanity check. */
- if (msg->header.arglen < sizeof(*hp)
- || msg->header.arglen !=
- NG_TAG_HOOKOUT_SIZE(hp->tag_len))
+ if (msg->header.arglen < sizeof(*hp) ||
+ msg->header.arglen < NG_TAG_HOOKOUT_SIZE(hp->tag_len))
ERROUT(EINVAL);
/* Find hook. */
More information about the dev-commits-src-all
mailing list