Module Name: src
Committed By: maxv
Date: Fri Feb 9 21:25:04 UTC 2018
Modified Files:
src/sys/dist/pf/net: pf.c
Log Message:
Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.
It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.
This bug was reported 8 years ago by Lucio Albornoz in PR/44059.
To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/dist/pf/net/pf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dist/pf/net/pf.c
diff -u src/sys/dist/pf/net/pf.c:1.77 src/sys/dist/pf/net/pf.c:1.78
--- src/sys/dist/pf/net/pf.c:1.77 Tue Oct 31 15:00:03 2017
+++ src/sys/dist/pf/net/pf.c Fri Feb 9 21:25:04 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: pf.c,v 1.77 2017/10/31 15:00:03 christos Exp $ */
+/* $NetBSD: pf.c,v 1.78 2018/02/09 21:25:04 maxv Exp $ */
/* $OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */
/*
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.77 2017/10/31 15:00:03 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.78 2018/02/09 21:25:04 maxv Exp $");
#include "pflog.h"
@@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off
struct sackblk sack;
#ifdef __NetBSD__
-#define TCPOLEN_SACK (2 * sizeof(uint32_t))
+#define TCPOLEN_SACK 8 /* 2*sizeof(tcp_seq) */
#endif
#define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
