svn commit: r360608 - stable/11/sys/netpfil/pf

Kristof Provost Sun, 03 May 2020 09:07:10 -0700

Author: kp
Date: Sun May  3 16:06:23 2020
New Revision: 360608
URL: https://svnweb.freebsd.org/changeset/base/360608


Log:
  MFC r360344:
  
  pf: Improve input validation
  
  If we pass an anchor name which doesn't exist pfr_table_count() returns
  -1, which leads to an overflow in mallocarray() and thus a panic.
  
  Explicitly check that pfr_table_count() does not return an error.
  
  Reported-by:  syzbot+bd09d55d897d63d5f...@syzkaller.appspotmail.com

Modified:
  stable/11/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf_ioctl.c Sun May  3 16:06:17 2020        
(r360607)
+++ stable/11/sys/netpfil/pf/pf_ioctl.c Sun May  3 16:06:23 2020        
(r360608)
@@ -2593,7 +2593,8 @@ DIOCCHANGEADDR_error:
        case DIOCRGETTABLES: {
                struct pfioc_table *io = (struct pfioc_table *)addr;
                struct pfr_table *pfrts;
-               size_t totlen, n;
+               size_t totlen;
+               int n;
 
                if (io->pfrio_esize != sizeof(struct pfr_table)) {
                        error = ENODEV;
@@ -2601,6 +2602,11 @@ DIOCCHANGEADDR_error:
                }
                PF_RULES_RLOCK();
                n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
+               if (n < 0) {
+                       PF_RULES_RUNLOCK();
+                       error = EINVAL;
+                       break;
+               }
                io->pfrio_size = min(io->pfrio_size, n);
 
                totlen = io->pfrio_size * sizeof(struct pfr_table);
@@ -2624,7 +2630,8 @@ DIOCCHANGEADDR_error:
        case DIOCRGETTSTATS: {
                struct pfioc_table *io = (struct pfioc_table *)addr;
                struct pfr_tstats *pfrtstats;
-               size_t totlen, n;
+               size_t totlen;
+               int n;
 
                if (io->pfrio_esize != sizeof(struct pfr_tstats)) {
                        error = ENODEV;
@@ -2632,6 +2639,11 @@ DIOCCHANGEADDR_error:
                }
                PF_RULES_WLOCK();
                n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
+               if (n < 0) {
+                       PF_RULES_WUNLOCK();
+                       error = EINVAL;
+                       break;
+               }
                io->pfrio_size = min(io->pfrio_size, n);
 
                totlen = io->pfrio_size * sizeof(struct pfr_tstats);
@@ -2654,7 +2666,8 @@ DIOCCHANGEADDR_error:
        case DIOCRCLRTSTATS: {
                struct pfioc_table *io = (struct pfioc_table *)addr;
                struct pfr_table *pfrts;
-               size_t totlen, n;
+               size_t totlen;
+               int n;
 
                if (io->pfrio_esize != sizeof(struct pfr_table)) {
                        error = ENODEV;
@@ -2663,6 +2676,11 @@ DIOCCHANGEADDR_error:
 
                PF_RULES_WLOCK();
                n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
+               if (n < 0) {
+                       PF_RULES_WUNLOCK();
+                       error = EINVAL;
+                       break;
+               }
                io->pfrio_size = min(io->pfrio_size, n);
 
                totlen = io->pfrio_size * sizeof(struct pfr_table);
@@ -2689,7 +2707,8 @@ DIOCCHANGEADDR_error:
        case DIOCRSETTFLAGS: {
                struct pfioc_table *io = (struct pfioc_table *)addr;
                struct pfr_table *pfrts;
-               size_t totlen, n;
+               size_t totlen;
+               int n;
 
                if (io->pfrio_esize != sizeof(struct pfr_table)) {
                        error = ENODEV;
@@ -2698,6 +2717,12 @@ DIOCCHANGEADDR_error:
 
                PF_RULES_RLOCK();
                n = pfr_table_count(&io->pfrio_table, io->pfrio_flags);
+               if (n < 0) {
+                       PF_RULES_RUNLOCK();
+                       error = EINVAL;
+                       break;
+               }
+
                io->pfrio_size = min(io->pfrio_size, n);
                PF_RULES_RUNLOCK();
 
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r360608 - stable/11/sys/netpfil/pf

Reply via email to