From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Tue, 10 Feb 2026 00:10:28 +0000 (+0100)
Subject: Netlink: Fix handling of RTAX_CC_ALGO netlink attribute
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=167a7cb5099ee2c1e1f51abb4a51bd8e81c459b1;p=thirdparty%2Fbird.git

Netlink: Fix handling of RTAX_CC_ALGO netlink attribute

The kernel-provided congestion control algorithm (RTAX_CC_ALGO) is stored in
an EAF_TYPE_STRING adata blob without the terminating NULL. When exporting
metrics back to netlink, the value is treated as a C string and passed to
nl_add_attr_str(), which uses strlen(str)+1. This may read past the allocated
adata and leak adjacent memory or crash.

Minor change by committer.
---

diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c
index 299f132fe..8be5112c4 100644
--- a/sysdep/linux/netlink.c
+++ b/sysdep/linux/netlink.c
@@ -1876,7 +1876,7 @@ nl_parse_route(struct nl_parse_state *s, struct nlmsghdr *h)
 	    }
           else if (t == RTAX_CC_ALGO)
 	    {
-	      struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo));
+	      struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo) + 1);
 	      memcpy(ad->data, cc_algo, ad->length);
 
 	      ea->attrs[n++] = (eattr) {