netgraph/ng_tag: permit variable length data

ng_tag(4) operate on arbitrary data of mbuf_tags(9).  Those structures
are padded to the next multiple of the alignment by the compiler.
Hence a valid argument has be at most as long as the data received.

PR:		241462
Reviewed by:	kp
Approved by:	kp (mentor)
MFC after:	2 weeks
Differential Revision: https://reviews.freebsd.org/D22140

1 files changed, 4 insertions, 6 deletions

diff --git a/sys/netgraph/ng_tag.c b/sys/netgraph/ng_tag.c
index 364a0bd83dc0..d46c463fc53a 100644
--- a/sys/netgraph/ng_tag.c
+++ b/sys/netgraph/ng_tag.c
@@ -363,9 +363,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
 			hook_p hook;
 
 			/* Sanity check. */
-			if (msg->header.arglen < sizeof(*hp)
-			    || msg->header.arglen !=
-			    NG_TAG_HOOKIN_SIZE(hp->tag_len))
+			if (msg->header.arglen < sizeof(*hp) ||
+			    msg->header.arglen < NG_TAG_HOOKIN_SIZE(hp->tag_len))
 				ERROUT(EINVAL);
 
 			/* Find hook. */
@@ -385,9 +384,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
 			hook_p hook;
 
 			/* Sanity check. */
-			if (msg->header.arglen < sizeof(*hp)
-			    || msg->header.arglen !=
-			    NG_TAG_HOOKOUT_SIZE(hp->tag_len))
+			if (msg->header.arglen < sizeof(*hp) ||
+			    msg->header.arglen < NG_TAG_HOOKOUT_SIZE(hp->tag_len))
 				ERROUT(EINVAL);
 
 			/* Find hook. */