The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=e924a2c80b9e1ace68d8ca0ffdacec65feec90a3
commit e924a2c80b9e1ace68d8ca0ffdacec65feec90a3 Author: Gleb Smirnoff <[email protected]> AuthorDate: 2026-05-20 14:27:52 +0000 Commit: Gleb Smirnoff <[email protected]> CommitDate: 2026-05-20 14:27:52 +0000 netlink: fix unsigned overflow on a truncated message PR: 295106 Submitted by: Robert Morris <[email protected]> Reviewed by: pouria, melifaro Differential Revision: https://reviews.freebsd.org/D56916 --- sys/netlink/netlink_message_parser.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netlink/netlink_message_parser.h b/sys/netlink/netlink_message_parser.h index 8f61091c4a7f..c747f301059c 100644 --- a/sys/netlink/netlink_message_parser.h +++ b/sys/netlink/netlink_message_parser.h @@ -315,6 +315,12 @@ static inline void nl_get_attrs_bmask_nlmsg(struct nlmsghdr *hdr, const struct nlhdr_parser *parser, struct nlattr_bmask *bm) { + if (__predict_false(hdr->nlmsg_len - sizeof(struct nlmsghdr) < + parser->nl_hdr_off)) { + /* Doesn't make sense to call nl_alloc_compat_hdr() here. */ + BIT_ZERO(NL_ATTR_BMASK_SIZE, bm); + return; + } nl_get_attrs_bmask_raw( (struct nlattr *)((char *)(hdr + 1) + parser->nl_hdr_off), hdr->nlmsg_len - sizeof(*hdr) - parser->nl_hdr_off, bm);
