The branch main has been updated by pouria: URL: https://cgit.FreeBSD.org/src/commit/?id=4329663a861ef74796b79b6b0872cfe10d31c591
commit 4329663a861ef74796b79b6b0872cfe10d31c591 Author: Pouria Mousavizadeh Tehrani <[email protected]> AuthorDate: 2026-05-12 11:34:28 +0000 Commit: Pouria Mousavizadeh Tehrani <[email protected]> CommitDate: 2026-05-13 09:44:28 +0000 rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get Fix length validation of RTA_MULTIPATH attributes in nlattr_get_multipath() by making sure the user request is align. PR: 295102 Reported by: Robert Morris <[email protected]> Reviewed by: markj Fixes: 7e5bf68495cc ("netlink: add netlink support") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D56963 --- sys/netlink/route/rt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 4d7b0a3e1fa3..dfc501e11299 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -479,8 +479,9 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt, for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) { struct rta_mpath_nh *mpnh; + len = NL_ITEM_ALIGN(rtnh->rtnh_len); if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) || - rtnh->rtnh_len > data_len)) { + len < rtnh->rtnh_len || len > data_len)) { NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u", __func__, rtnh->rtnh_len); return (EINVAL); @@ -494,7 +495,6 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt, mp->num_nhops - 1); return (error); } - len = NL_ITEM_ALIGN(rtnh->rtnh_len); data_len -= len; rtnh = (struct rtnexthop *)((char *)rtnh + len); }
