The branch stable/13 has been updated by emaste:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e3af3a23c155d85275c6e32f2fe943468f252ba3
commit e3af3a23c155d85275c6e32f2fe943468f252ba3
Author: Ed Maste <ema...@freebsd.org>
AuthorDate: 2025-08-25 14:25:13 +0000
Commit: Ed Maste <ema...@freebsd.org>
CommitDate: 2025-09-04 13:05:30 +0000
ng_parse: Add upper bound to avoid possible overflow
Also move num initialization for clarity.
We still need to check num in ng_unparse_composite (reported by des@ in
D52151) but this is another incremental improvement in netgraph input
validation.
Reviewed by: des
PR: 267334
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52151
(cherry picked from commit 375527545c85362f14070d35575f9bcd7092f4b9)
(cherry picked from commit 4407e10fdc8b969775233d47c05559c2601b60f4)
---
sys/netgraph/ng_parse.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/netgraph/ng_parse.c b/sys/netgraph/ng_parse.c
index 1a1d9d8b3064..1f322a31975f 100644
--- a/sys/netgraph/ng_parse.c
+++ b/sys/netgraph/ng_parse.c
@@ -1200,14 +1200,14 @@ ng_parse_composite(const struct ng_parse_type *type,
const char *s,
int *off, const u_char *const start, u_char *const buf, int *buflen,
const enum comptype ctype)
{
- const int num = ng_get_composite_len(type, start, buf, ctype);
int nextIndex = 0; /* next implicit array index */
u_int index; /* field or element index */
int *foff; /* field value offsets in string */
int align, len, blen, error = 0;
/* Initialize */
- if (num < 0)
+ const int num = ng_get_composite_len(type, start, buf, ctype);
+ if (num < 0 || num > INT_MAX / sizeof(*foff))
return (EINVAL);
foff = malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT | M_ZERO);
if (foff == NULL) {
