64432ad2a2
Some pf ioctl handlers use strlcpy() to copy strings when converting from user structures to their in-kernel representations. strlcpy() ensures that the destination will be nul-terminated, but it assumes that the source is nul-terminated. In particular, it returns the full length of the source string, so if the source is not nul-terminated, strlcpy() will keep scanning until it finds a nul byte, and it may encounter an unmapped page first. Add a helper to validate user strings before copying. There are also places where we look up a ruleset using a user-provided anchor string. In some ioctl handlers we were already nul-terminating the string, avoiding the same problem, but in other places we were not. Fix those by nul-terminating as well. Aside from being consistent, anchors have a maximum length of MAXPATHLEN - 1 so calling strnlen() might not be so desirable. Reported by: syzbot+35a1549b4663e9483dd1@syzkaller.appspotmail.com Reviewed by: kp MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31169 |
||
---|---|---|
.. | ||
if_pflog.c | ||
if_pfsync.c | ||
in4_cksum.c | ||
pf_altq.h | ||
pf_if.c | ||
pf_ioctl.c | ||
pf_lb.c | ||
pf_mtag.h | ||
pf_norm.c | ||
pf_nv.c | ||
pf_nv.h | ||
pf_osfp.c | ||
pf_ruleset.c | ||
pf_syncookies.c | ||
pf_table.c | ||
pf.c | ||
pf.h |