diff options
author | kp <kp@FreeBSD.org> | 2016-02-25 07:33:59 +0000 |
---|---|---|
committer | kp <kp@FreeBSD.org> | 2016-02-25 07:33:59 +0000 |
commit | 462a1089a3c3efeb38d4434f9c46429b0e5746d3 (patch) | |
tree | b7180fa222d68699d1708532490ff5fc48cf5f8b /sys/netpfil | |
parent | a9e53514f10ae3c5a2aaad205f978f9a6787fcf4 (diff) | |
download | FreeBSD-src-462a1089a3c3efeb38d4434f9c46429b0e5746d3.zip FreeBSD-src-462a1089a3c3efeb38d4434f9c46429b0e5746d3.tar.gz |
pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).
This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.
Reported By: Paul J Murphy <paul@inetstat.net>
PR: 207463
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D5426
Diffstat (limited to 'sys/netpfil')
-rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index a5a516f..c98846a 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2718,13 +2718,14 @@ DIOCCHANGEADDR_error: case DIOCRSETADDRS: { struct pfioc_table *io = (struct pfioc_table *)addr; struct pfr_addr *pfras; - size_t totlen; + size_t totlen, count; if (io->pfrio_esize != sizeof(struct pfr_addr)) { error = ENODEV; break; } - totlen = io->pfrio_size * sizeof(struct pfr_addr); + count = max(io->pfrio_size, io->pfrio_size2); + totlen = count * sizeof(struct pfr_addr); pfras = malloc(totlen, M_TEMP, M_WAITOK); error = copyin(io->pfrio_buffer, pfras, totlen); if (error) { |