d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netgraph/ng_tag: permit variable length data

Browse Source 
ng_tag(4) operate on arbitrary data of mbuf_tags(9).  Those structures
are padded to the next multiple of the alignment by the compiler.
Hence a valid argument has be at most as long as the data received.

PR:		241462
Reviewed by:	kp
Approved by:	kp (mentor)
MFC after:	2 weeks
Differential Revision: https://reviews.freebsd.org/D22140
This commit is contained in:
Lutz Donnerhacke 2021-01-02 14:58:17 +01:00 committed by Lutz Donnerhacke
parent f850fd2496
commit 7c7c231c14
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sys/netgraph/ng_tag.c
View File

@ -363,9 +363,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
hook_p hook;
/* Sanity check. */
if (msg->header.arglen < sizeof(*hp)
|| msg->header.arglen !=
NG_TAG_HOOKIN_SIZE(hp->tag_len))
if (msg->header.arglen < sizeof(*hp) ||
msg->header.arglen < NG_TAG_HOOKIN_SIZE(hp->tag_len))
ERROUT(EINVAL);
/* Find hook. */
@ -385,9 +384,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
hook_p hook;
/* Sanity check. */
if (msg->header.arglen < sizeof(*hp)
|| msg->header.arglen !=
NG_TAG_HOOKOUT_SIZE(hp->tag_len))
if (msg->header.arglen < sizeof(*hp) ||
msg->header.arglen < NG_TAG_HOOKOUT_SIZE(hp->tag_len))
ERROUT(EINVAL);
/* Find hook. */