diff options
author | green <green@FreeBSD.org> | 2004-09-30 17:42:00 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2004-09-30 17:42:00 +0000 |
commit | 3f01e230b4cf78c33b4709c03ca99b460021fb87 (patch) | |
tree | 9f2d07918325b1110b602690512acb3cfa25049f /sys/netinet | |
parent | 7a16aef8e53741cd26e6728d56c87ce99dfd7c1a (diff) | |
download | FreeBSD-src-3f01e230b4cf78c33b4709c03ca99b460021fb87.zip FreeBSD-src-3f01e230b4cf78c33b4709c03ca99b460021fb87.tar.gz |
Validate the action pointer to be within the rule size, so that trying to
add corrupt ipfw rules would not potentially panic the system or worse.
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_fw2.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index a8bcede..2d8197f 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -2846,6 +2846,11 @@ check_ipfw_struct(struct ip_fw *rule, int size) printf("ipfw: size mismatch (have %d want %d)\n", size, l); return (EINVAL); } + if (rule->act_ofs >= rule->cmd_len) { + printf("ipfw: bogus action offset (%u > %u)\n", + rule->act_ofs, rule->cmd_len - 1); + return (EINVAL); + } /* * Now go for the individual checks. Very simple ones, basically only * instruction sizes. |