diff options
author | ae <ae@FreeBSD.org> | 2017-04-21 17:09:37 +0000 |
---|---|---|
committer | Luiz Souza <luiz@netgate.com> | 2017-07-15 11:23:09 -0500 |
commit | 4262d330eb40271f36c9e0c11d09a06e64653352 (patch) | |
tree | 57ecde60bd6d017c8b291ea47c1063ce695276d2 | |
parent | 41eeaa7c0777efd001a354c9c43ede0311edd881 (diff) | |
download | FreeBSD-src-4262d330eb40271f36c9e0c11d09a06e64653352.zip FreeBSD-src-4262d330eb40271f36c9e0c11d09a06e64653352.tar.gz |
MFC r316824:
The rule field in the ipfw_dyn_rule structure is used as storage
to pass rule number and rule set to userland. In r272840 the kernel
internal rule representation was changed and the rulenum field of
struct ip_fw_rule got the type uint32_t, but userlevel representation
still have the type uint16_t. To not overflow the size of pointer
on the systems with 32-bit pointer size use separate variable to
copy rulenum and set.
Reported by: PVS-Studio
(cherry picked from commit 43beaf2023388490ce9f05cd909715fc29f35ed5)
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_dynamic.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index 77c98c7..1fda948 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -1710,15 +1710,17 @@ ipfw_dyn_get_count(void) static void export_dyn_rule(ipfw_dyn_rule *src, ipfw_dyn_rule *dst) { + uint16_t rulenum; + rulenum = (uint16_t)src->rule->rulenum; memcpy(dst, src, sizeof(*src)); - memcpy(&(dst->rule), &(src->rule->rulenum), sizeof(src->rule->rulenum)); + memcpy(&dst->rule, &rulenum, sizeof(rulenum)); /* * store set number into high word of * dst->rule pointer. */ - memcpy((char *)&dst->rule + sizeof(src->rule->rulenum), - &(src->rule->set), sizeof(src->rule->set)); + memcpy((char *)&dst->rule + sizeof(rulenum), &src->rule->set, + sizeof(src->rule->set)); /* * store a non-null value in "next". * The userland code will interpret a @@ -1726,8 +1728,8 @@ export_dyn_rule(ipfw_dyn_rule *src, ipfw_dyn_rule *dst) * for the last dynamic rule. */ memcpy(&dst->next, &dst, sizeof(dst)); - dst->expire = - TIME_LEQ(dst->expire, time_uptime) ? 0 : dst->expire - time_uptime; + dst->expire = TIME_LEQ(dst->expire, time_uptime) ? 0: + dst->expire - time_uptime; } /* |