pf: Do not allow negative ps_len in DIOCGETSTATES
Userspace may pass a negative ps_len value to us, which causes an assertion failure in malloc(). Treat negative values as zero, i.e. return the required size. Reported-by: syzbot+53370d9d0358ee2a059a@syzkaller.appspotmail.com Reviewed by: lutz at donnerhacke.de MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24447
This commit is contained in:
parent
4e49fbcd37
commit
95324dc3f4
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=360042
@ -2163,7 +2163,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
|
||||
struct pfsync_state *pstore, *p;
|
||||
int i, nr;
|
||||
|
||||
if (ps->ps_len == 0) {
|
||||
if (ps->ps_len <= 0) {
|
||||
nr = uma_zone_get_cur(V_pf_state_z);
|
||||
ps->ps_len = sizeof(struct pfsync_state) * nr;
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user