The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7465d0b094b7ad8a41ba1df8305c4a8aaa83eb4b
commit 7465d0b094b7ad8a41ba1df8305c4a8aaa83eb4b Author: Mark Johnston <[email protected]> AuthorDate: 2026-02-23 15:52:50 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-02-24 16:02:21 +0000 rtsock: Fix stack overflow Approved by: so Approved by: re (cperciva) Security: FreeBSD-SA-26:05.route Security: CVE-2026-3038 Fixes: 92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes") (cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2) (cherry picked from commit 1eb2beb3686c50a870ed7688f753f89dd0f0ab3e) --- sys/net/rtsock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index bc70c600e3ab..e3116b8ee4b5 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1851,8 +1851,8 @@ rtsock_msg_buffer(int type, struct rt_addrinfo *rtinfo, struct walkarg *w, int * #endif dlen = SA_SIZE(sa); if (cp != NULL && buflen >= dlen) { - KASSERT(dlen <= sizeof(ss), - ("%s: sockaddr size overflow", __func__)); + if (sa->sa_len > sizeof(ss)) + return (EINVAL); bzero(&ss, sizeof(ss)); bcopy(sa, &ss, sa->sa_len); sa = (struct sockaddr *)&ss;
