Author: kp
Date: Tue Jan 29 17:49:38 2019
New Revision: 343553
URL: https://svnweb.freebsd.org/changeset/base/343553
Log:
MFC r343295:
pf: Validate psn_len in DIOCGETSRCNODES
psn_len is controlled by user space, but we allocated memory based on it.
Check how much memory we might need at most (i.e. how many source nodes we
have) and limit the allocation to that.
Reported by: markj
Modified:
stable/12/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/12/sys/netpfil/pf/pf_ioctl.c Tue Jan 29 14:31:41 2019
(r343552)
+++ stable/12/sys/netpfil/pf/pf_ioctl.c Tue Jan 29 17:49:38 2019
(r343553)
@@ -3577,14 +3577,18 @@ DIOCCHANGEADDR_error:
struct pf_src_node *n, *p, *pstore;
uint32_t i, nr = 0;
+ for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
+ i++, sh++) {
+ PF_HASHROW_LOCK(sh);
+ LIST_FOREACH(n, &sh->nodes, entry)
+ nr++;
+ PF_HASHROW_UNLOCK(sh);
+ }
+
+ psn->psn_len = min(psn->psn_len,
+ sizeof(struct pf_src_node) * nr);
+
if (psn->psn_len == 0) {
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
- i++, sh++) {
- PF_HASHROW_LOCK(sh);
- LIST_FOREACH(n, &sh->nodes, entry)
- nr++;
- PF_HASHROW_UNLOCK(sh);
- }
psn->psn_len = sizeof(struct pf_src_node) * nr;
break;
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
