From 1867ffae9d6bc76572f5876abf5337dba54f5da6 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Tue, 10 Feb 2026 01:10:28 +0100
Subject: Netlink: Fix handling of RTAX_CC_ALGO netlink attribute

The kernel-provided congestion control algorithm (RTAX_CC_ALGO) is stored in
an EAF_TYPE_STRING adata blob without the terminating NULL. When exporting
metrics back to netlink, the value is treated as a C string and passed to
nl_add_attr_str(), which uses strlen(str)+1. This may read past the allocated
adata and leak adjacent memory or crash.

Minor change by committer.

diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c
index 299f132fe..8be5112c4 100644
--- a/sysdep/linux/netlink.c
+++ b/sysdep/linux/netlink.c
@@ -1876,7 +1876,7 @@ nl_parse_route(struct nl_parse_state *s, struct nlmsghdr *h)
 	    }
           else if (t == RTAX_CC_ALGO)
 	    {
-	      struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo));
+	      struct adata *ad = lp_alloc_adata(s->pool, strlen(cc_algo) + 1);
 	      memcpy(ad->data, cc_algo, ad->length);
 
 	      ea->attrs[n++] = (eattr) {
