From db241f6ae3226c6b442e69aa01466dd9220bc086 Mon Sep 17 00:00:00 2001
From: glebius <glebius@FreeBSD.org>
Date: Sun, 5 Dec 2004 14:30:38 +0000
Subject: [PATCH] - Use uint16_t to pass argument for NGM_NETFLOW_IFINFO, bump
 cookie. - Always check that index number passed from userland   is <=
 NG_NETFLOW_MAXIFACES. [1] - Increase NG_NETFLOW_MAXIFACES up to 512. [2]

Noticed by:	Roman Palagin [1]
Requested by:	Yuri Y. Bushmelev [2]
MFC after:	1 week
---
 sys/netgraph/netflow/ng_netflow.c | 14 ++++++++++----
 sys/netgraph/netflow/ng_netflow.h |  4 ++--
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/sys/netgraph/netflow/ng_netflow.c b/sys/netgraph/netflow/ng_netflow.c
index 267216d6eedc..8b61d97ab1da 100644
--- a/sys/netgraph/netflow/ng_netflow.c
+++ b/sys/netgraph/netflow/ng_netflow.c
@@ -114,7 +114,7 @@ static const struct ng_cmdlist ng_netflow_cmds[] = {
 	NGM_NETFLOW_COOKIE,
 	NGM_NETFLOW_IFINFO,
 	"ifinfo",
-	&ng_parse_uint8_type,
+	&ng_parse_uint16_type,
 	&ng_netflow_ifinfo_type
        },
        {
@@ -277,12 +277,14 @@ ng_netflow_rcvmsg (node_p node, item_p item, hook_p lasthook)
 		case NGM_NETFLOW_IFINFO:
 		{
 			struct ng_netflow_ifinfo *i;
-			const uint8_t *index;
+			const uint16_t *index;
 
-			if (msg->header.arglen != sizeof(uint8_t))
+			if (msg->header.arglen != sizeof(uint16_t))
 				 ERROUT(EINVAL);
 
-			index  = (uint8_t *)msg->data;
+			index  = (uint16_t *)msg->data;
+			if (*index > NG_NETFLOW_MAXIFACES)
+				ERROUT(EINVAL);
 
 			/* connected iface? */
 			if (priv->ifaces[*index].hook == NULL)
@@ -305,6 +307,8 @@ ng_netflow_rcvmsg (node_p node, item_p item, hook_p lasthook)
 				ERROUT(EINVAL);
 
 			set = (struct ng_netflow_setdlt *)msg->data;
+			if (set->iface > NG_NETFLOW_MAXIFACES)
+				ERROUT(EINVAL);
 			iface = &priv->ifaces[set->iface];
 
 			/* connected iface? */
@@ -332,6 +336,8 @@ ng_netflow_rcvmsg (node_p node, item_p item, hook_p lasthook)
 				ERROUT(EINVAL);
 
 			set = (struct ng_netflow_setifindex *)msg->data;
+			if (set->iface > NG_NETFLOW_MAXIFACES)
+				ERROUT(EINVAL);
 			iface = &priv->ifaces[set->iface];
 
 			/* connected iface? */
diff --git a/sys/netgraph/netflow/ng_netflow.h b/sys/netgraph/netflow/ng_netflow.h
index 4b6f576d3c23..0f8ebcf0d735 100644
--- a/sys/netgraph/netflow/ng_netflow.h
+++ b/sys/netgraph/netflow/ng_netflow.h
@@ -32,9 +32,9 @@
 #define	_NG_NETFLOW_H_
 
 #define NG_NETFLOW_NODE_TYPE	"netflow"
-#define NGM_NETFLOW_COOKIE	1095355665
+#define NGM_NETFLOW_COOKIE	1101814790
 
-#define	NG_NETFLOW_MAXIFACES	64
+#define	NG_NETFLOW_MAXIFACES	512
 
 /* Hook names */