git: ec281d797c4f - main - pf: fix zero division found by syzkaller

Fri, 18 Jul 2025 02:53:39 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=ec281d797c4f0b4848c519fae97b5c2c6f368ec5

commit ec281d797c4f0b4848c519fae97b5c2c6f368ec5
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-09 13:14:50 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-18 07:33:29 +0000

    pf: fix zero division found by syzkaller
    
    The sanity checks in pf(4) ioctls are not powerful enough to detect invalid
    port ranges (or even invalid rules). syzkaller does not use pfctl(8), it 
uses
    ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds
    explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller
    happy without disturbing anyone else.
    
    OK gnezdo@
    
    Reported-by:    syzbot+d1f00da48fa717e17...@syzkaller.appspotmail.com
    Obtained from:  OpenBSD, sashan <sas...@openbsd.org>, 38bfd041cb
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_lb.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 26f7ab41eef4..9c7863bb301e 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -1012,10 +1012,13 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct 
pf_krule *r,
 
                if (rpool->proxy_port[1]) {
                        uint32_t        tmp_nport;
+                       uint16_t        div;
 
-                       tmp_nport = ((ntohs(pd->ndport) - 
ntohs(r->dst.port[0])) %
-                           (rpool->proxy_port[1] - rpool->proxy_port[0] +
-                           1)) + rpool->proxy_port[0];
+                       div = r->rdr.proxy_port[1] - r->rdr.proxy_port[0] + 1;
+                       div = (div == 0) ? 1 : div;
+
+                       tmp_nport = ((ntohs(pd->ndport) - 
ntohs(r->dst.port[0])) % div) +
+                           rpool->proxy_port[0];
 
                        /* Wrap around if necessary. */
                        if (tmp_nport > 65535)

Reply via email to