From a80bbc4e9597530b91735ebf366a2a62dc27a8d8 Mon Sep 17 00:00:00 2001 From: Gleb Smirnoff Date: Fri, 28 Feb 2025 15:39:15 -0800 Subject: [PATCH] netlink: refuse a send(2) that is larger than socket buffer The Netlink RFC doesn't say that explicitly, but general discussion seems to state that a single netlink message shall be delivered in a single send(2) to the socket. So, if a single message doesn't fit into buffer it is clear EMSGSIZE. The RFC is unclear if application is allowed to send several smaller messages with a single syscall potentially overflowing the buffer and whether kernel should accept any of them. At the moment, no legit application does that. So, decision was taken not to overload nl_sosend() with a message parsing logic and deny any oversized write. Reported-by: syzbot+eb5db60d36b005dbccf5@syzkaller.appspotmail.com --- sys/netlink/netlink_domain.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netlink/netlink_domain.c b/sys/netlink/netlink_domain.c index a7ceae687d8..74b46114716 100644 --- a/sys/netlink/netlink_domain.c +++ b/sys/netlink/netlink_domain.c @@ -568,6 +568,9 @@ nl_sosend(struct socket *so, struct sockaddr *addr, struct uio *uio, if (__predict_false(uio->uio_resid < sizeof(struct nlmsghdr))) return (ENOBUFS); /* XXXGL: any better error? */ + if (__predict_false(uio->uio_resid > sb->sb_hiwat)) + return (EMSGSIZE); + error = SOCK_IO_SEND_LOCK(so, SBLOCKWAIT(flags)); if (error) return (error);