jimzah/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src.git synced 2024-12-03 14:48:57 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

MFC: r296025:

Browse Source 
pf: Fix possible out-of-bounds write

In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).

This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.

Reported By:        Paul J Murphy <paul@inetstat.net>
PR:         207463
Approved by:	re (marius)
This commit is contained in:
Kristof Provost 2016-03-03 07:16:35 +00:00
parent 2aab9f2e02
commit 3921ce85a2
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/stable/10/; revision=296340
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/netpfil/pf/pf_ioctl.c
View File

@ -2714,13 +2714,14 @@ DIOCCHANGEADDR_error:
case DIOCRSETADDRS: {
struct pfioc_table *io = (struct pfioc_table *)addr;
struct pfr_addr *pfras;
size_t totlen;
size_t totlen, count;
if (io->pfrio_esize != sizeof(struct pfr_addr)) {
error = ENODEV;
break;
}
totlen = io->pfrio_size * sizeof(struct pfr_addr);
count = max(io->pfrio_size, io->pfrio_size2);
totlen = count * sizeof(struct pfr_addr);
pfras = malloc(totlen, M_TEMP, M_WAITOK);
error = copyin(io->pfrio_buffer, pfras, totlen);
if (error) {