rtnetlink: Align RTA_MULTIPATH length validation in nlattr_get
Fix length validation of RTA_MULTIPATH attributes in
nlattr_get_multipath() by making sure the user request is align.
PR: 295102
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: markj
Fixes: 7e5bf68495 ("netlink: add netlink support")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56963
This commit is contained in:
@@ -479,8 +479,9 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
|
||||
for (rtnh = (struct rtnexthop *)(nla + 1); data_len > 0; ) {
|
||||
struct rta_mpath_nh *mpnh;
|
||||
|
||||
len = NL_ITEM_ALIGN(rtnh->rtnh_len);
|
||||
if (__predict_false(rtnh->rtnh_len <= sizeof(*rtnh) ||
|
||||
rtnh->rtnh_len > data_len)) {
|
||||
len < rtnh->rtnh_len || len > data_len)) {
|
||||
NLMSG_REPORT_ERR_MSG(npt, "%s: bad length %u",
|
||||
__func__, rtnh->rtnh_len);
|
||||
return (EINVAL);
|
||||
@@ -494,7 +495,6 @@ nlattr_get_multipath(struct nlattr *nla, struct nl_pstate *npt,
|
||||
mp->num_nhops - 1);
|
||||
return (error);
|
||||
}
|
||||
len = NL_ITEM_ALIGN(rtnh->rtnh_len);
|
||||
data_len -= len;
|
||||
rtnh = (struct rtnexthop *)((char *)rtnh + len);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user