Commit a6a9bc54 authored Feb 09, 2026 by Jeremy Kerr Committed by Jakub Kicinski Feb 12, 2026

net: mctp: ensure our nlmsg responses are initialised



Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from
DEVCORE Research Team working with Trend Micro Zero Day Initiative
report that a RTM_GETNEIGH will return uninitalised data in the pad
bytes of the ndmsg data.

Ensure we're initialising the netlink data to zero, in the link, addr
and neigh response messages.

Fixes: 831119f8 ("mctp: Add neighbour netlink interface")
Fixes: 06d2f4c5 ("mctp: Add netlink route management")
Fixes: 583be982 ("mctp: Add device handling and netlink interface")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@codeconstruct.com.au


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 7c375811

net/mctp/device.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb,
		return -EMSGSIZE;

		hdr = nlmsg_data(nlh);
		memset(hdr, 0, sizeof(*hdr));
		hdr->ifa_family = AF_MCTP;
		hdr->ifa_prefixlen = 0;
		hdr->ifa_flags = 0;

net/mctp/neigh.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event,
		return -EMSGSIZE;

		hdr = nlmsg_data(nlh);
		memset(hdr, 0, sizeof(*hdr));
		hdr->ndm_family = AF_MCTP;
		hdr->ndm_ifindex = dev->ifindex;
		hdr->ndm_state = 0; // TODO other state bits?

net/mctp/route.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1643,6 +1643,7 @@ static int mctp_fill_rtinfo(struct sk_buff skb, struct mctp_route rt,
		return -EMSGSIZE;

		hdr = nlmsg_data(nlh);
		memset(hdr, 0, sizeof(*hdr));
		hdr->rtm_family = AF_MCTP;

		/* we use the _len fields as a number of EIDs, rather than