netlink: refuse a send(2) that is larger than socket buffer

The Netlink RFC doesn't say that explicitly, but general discussion seems to state that a single netlink message shall be delivered in a single send(2) to the socket. So, if a single message doesn't fit into buffer it is clear EMSGSIZE. The RFC is unclear if application is allowed to send several smaller messages with a single syscall potentially overflowing the buffer and whether kernel should accept any of them. At the moment, no legit application does that. So, decision was taken not to overload nl_sosend() with a message parsing logic and deny any oversized write. Reported-by: syzbot+eb5db60d36b005dbccf5@syzkaller.appspotmail.com
2026-01-16 23:02:24 +00:00 · 2025-02-28 15:39:15 -08:00 · 2025-02-28 15:39:15 -08:00 · a80bbc4e95
commit a80bbc4e95
parent 457d745d90
1 changed files with 3 additions and 0 deletions
--- a/sys/netlink/netlink_domain.c
+++ b/sys/netlink/netlink_domain.c
@ -568,6 +568,9 @@ nl_sosend(struct socket *so, struct sockaddr *addr, struct uio *uio,
 	if (__predict_false(uio->uio_resid < sizeof(struct nlmsghdr)))
 		return (ENOBUFS);		/* XXXGL: any better error? */

+	if (__predict_false(uio->uio_resid > sb->sb_hiwat))
+		return (EMSGSIZE);
+
 	error = SOCK_IO_SEND_LOCK(so, SBLOCKWAIT(flags));
 	if (error)
 		return (error);