d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pf: Do not allow negative ps_len in DIOCGETSTATES

Browse Source 
Userspace may pass a negative ps_len value to us, which causes an
assertion failure in malloc().
Treat negative values as zero, i.e. return the required size.

Reported-by:	syzbot+53370d9d0358ee2a059a@syzkaller.appspotmail.com
Reviewed by:	lutz at donnerhacke.de
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24447
This commit is contained in:
Kristof Provost 2020-04-17 14:35:11 +00:00
parent 4e49fbcd37
commit 95324dc3f4
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=360042
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/netpfil/pf/pf_ioctl.c
View File

@ -2163,7 +2163,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
struct pfsync_state *pstore, *p;
int i, nr;
if (ps->ps_len == 0) {
if (ps->ps_len <= 0) {
nr = uma_zone_get_cur(V_pf_state_z);
ps->ps_len = sizeof(struct pfsync_state) * nr;
break;