diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-07-31 10:06:47 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-08-06 13:52:12 +0000 |
| commit | 627831eba3deb2644edc2b92c4ce8365321b8930 (patch) | |
| tree | 551a507718d45e740432a5ccfa8e51e28d63f359 | |
| parent | 48bd13dbf90022b0266d419d465160ffb01b8040 (diff) | |
netlink: Fully clear parser state between messages
Failing to reset the cookie between messages can lead to an attempt
to interpret a zeroed buffer as a struct nlattr, causing a length
calculation to underflow, resulting in a memcpy() call where the
length exceeds the actual size of the buffer.
MFC after: 1 week
PR: 283797
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D51634
(cherry picked from commit a8d90e32133b77a49c2551f22e59f72d65293b64)
| -rw-r--r-- | sys/netlink/netlink_io.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netlink/netlink_io.c b/sys/netlink/netlink_io.c index 0ca71fb6219b..c6827c76c623 100644 --- a/sys/netlink/netlink_io.c +++ b/sys/netlink/netlink_io.c @@ -520,6 +520,7 @@ static void npt_clear(struct nl_pstate *npt) { lb_clear(&npt->lb); + npt->cookie = NULL; npt->error = 0; npt->err_msg = NULL; npt->err_off = 0; |