rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get

Fix length validation of RTA_MULTIPATH attributes in
nlattr_get_multipath() by making sure the user request is align.

PR:		295102
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Reviewed by:	markj
Fixes:		7e5bf68495 ("netlink: add netlink support")
MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D56963
This commit is contained in:
Pouria Mousavizadeh Tehrani
2026-05-12 15:04:28 +03:30
parent 188631e43a
commit 4329663a86
+2 -2
View File
@@ -479,8 +479,9 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) {
struct rta_mpath_nh *mpnh;
len = NL_ITEM_ALIGN(rtnh->rtnh_len);
if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) ||
rtnh->rtnh_len > data_len)) {
len < rtnh->rtnh_len || len > data_len)) {
NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u",
__func__, rtnh->rtnh_len);
return (EINVAL);
@@ -494,7 +495,6 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
mp->num_nhops - 1);
return (error);
}
len = NL_ITEM_ALIGN(rtnh->rtnh_len);
data_len -= len;
rtnh = (struct rtnexthop *)((char *)rtnh + len);
}