From 7c7c231c14246a709270bf3f3a4593208e84d01a Mon Sep 17 00:00:00 2001
From: Lutz Donnerhacke <lutz@donnerhacke.de>
Date: Sat, 2 Jan 2021 14:58:17 +0100
Subject: [PATCH] netgraph/ng_tag: permit variable length data

ng_tag(4) operate on arbitrary data of mbuf_tags(9).  Those structures
are padded to the next multiple of the alignment by the compiler.
Hence a valid argument has be at most as long as the data received.

PR:		241462
Reviewed by:	kp
Approved by:	kp (mentor)
MFC after:	2 weeks
Differential Revision: https://reviews.freebsd.org/D22140
---
 sys/netgraph/ng_tag.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/sys/netgraph/ng_tag.c b/sys/netgraph/ng_tag.c
index 364a0bd83dc0..d46c463fc53a 100644
--- a/sys/netgraph/ng_tag.c
+++ b/sys/netgraph/ng_tag.c
@@ -363,9 +363,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
 			hook_p hook;
 
 			/* Sanity check. */
-			if (msg->header.arglen < sizeof(*hp)
-			    || msg->header.arglen !=
-			    NG_TAG_HOOKIN_SIZE(hp->tag_len))
+			if (msg->header.arglen < sizeof(*hp) ||
+			    msg->header.arglen < NG_TAG_HOOKIN_SIZE(hp->tag_len))
 				ERROUT(EINVAL);
 
 			/* Find hook. */
@@ -385,9 +384,8 @@ ng_tag_rcvmsg(node_p node, item_p item, hook_p lasthook)
 			hook_p hook;
 
 			/* Sanity check. */
-			if (msg->header.arglen < sizeof(*hp)
-			    || msg->header.arglen !=
-			    NG_TAG_HOOKOUT_SIZE(hp->tag_len))
+			if (msg->header.arglen < sizeof(*hp) ||
+			    msg->header.arglen < NG_TAG_HOOKOUT_SIZE(hp->tag_len))
 				ERROUT(EINVAL);
 
 			/* Find hook. */