From a47d77f94622d91c0a4ea341f47494bd00d3770d Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Wed, 29 Jan 2025 15:40:56 -0800
Subject: [PATCH] netlink/route: validate family attribute

PR:			283818
(cherry picked from commit cdacb12065e4d85416655743da5bc6b17a9d9119)
---
 sys/netlink/route/rt.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index abbcc075dde..7cd6e0045f0 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -956,7 +956,7 @@ rtnl_handle_newroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
 	/* pre-2.6.19 Linux API compatibility */
 	if (attrs.rtm_table > 0 && attrs.rta_table == 0)
 		attrs.rta_table = attrs.rtm_table;
-	if (attrs.rta_table >= V_rt_numfibs) {
+	if (attrs.rta_table >= V_rt_numfibs || attrs.rtm_family > AF_MAX) {
 		NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
 		return (EINVAL);
 	}
@@ -1019,7 +1019,7 @@ rtnl_handle_delroute(struct nlmsghdr *hdr, struct nlpcb *nlp,
 		return (ESRCH);
 	}
 
-	if (attrs.rta_table >= V_rt_numfibs) {
+	if (attrs.rta_table >= V_rt_numfibs || attrs.rtm_family > AF_MAX) {
 		NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
 		return (EINVAL);
 	}
@@ -1042,7 +1042,7 @@ rtnl_handle_getroute(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
 	if (error != 0)
 		return (error);
 
-	if (attrs.rta_table >= V_rt_numfibs) {
+	if (attrs.rta_table >= V_rt_numfibs || attrs.rtm_family > AF_MAX) {
 		NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
 		return (EINVAL);
 	}