pf: add missing input/error validation for DIOCGETETHRULE

Sponsored by: Rubicon Communications, LLC ("Netgate")
2022-03-29 14:17:12 +02:00 · 2022-03-29 14:17:12 +02:00 · 81cac0d2f6
commit 81cac0d2f6
parent 514039bb90
1 changed files with 5 additions and 0 deletions
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -2672,6 +2672,9 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td

 #define ERROUT(x)	do { error = (x); goto DIOCGETETHRULE_error; } while (0)

+		if (nv->len > pf_ioctl_maxcount)
+			ERROUT(ENOMEM);
+
 		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
 		if (nvlpacked == NULL)
 			ERROUT(ENOMEM);
@ -2681,6 +2684,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			ERROUT(error);

 		nvl = nvlist_unpack(nvlpacked, nv->len, 0);
+		if (nvl == NULL)
+			ERROUT(EBADMSG);
 		if (! nvlist_exists_number(nvl, "ticket"))
 			ERROUT(EBADMSG);
 		ticket = nvlist_get_number(nvl, "ticket");