From 0216ea8598af7d4170a8660f48981fb12b7b1d67 Mon Sep 17 00:00:00 2001 From: Vincenzo Maffione Date: Wed, 29 Apr 2026 20:59:17 +0000 Subject: netmap: check for possible out-of-bound write with options Submitted by: hari.thirusangu@sophos.com MFC after: 2 weeks --- sys/dev/netmap/netmap.c | 1 + 1 file changed, 1 insertion(+) (limited to 'sys/dev/netmap/netmap.c') diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index f531151fb656..6f79c2c45b39 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -3503,6 +3503,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) /* check optsz and nro_size to avoid for possible integer overflows of rqsz */ if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE) || (rqsz + optsz > NETMAP_REQ_MAXSIZE) + || (p - ker + optsz > bufsz) || (optsz > 0 && rqsz + optsz <= rqsz)) { error = EMSGSIZE; goto out_restore; -- cgit v1.3