freebsd-dev

History

Mark Johnston 1c732c8591 dummynet: Fix socket option length validation for IP_DUMMYNET3 The socket option handler tries to ensure that the option length is no larger than some reasonable maximum, and no smaller than sizeof(struct dn_id). But the loaded option length is stored in an int, which is converted to an unsigned integer for the comparison with a size_t, so negative values are not caught and instead get passed to malloc(). Change the code to use a size_t for the buffer size. Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33133	2021-11-29 13:57:24 -05:00
..
ipfw	dummynet: Fix socket option length validation for IP_DUMMYNET3	2021-11-29 13:57:24 -05:00
pf	pf: add pf_bcmp_state_key	2021-11-28 20:15:45 +01:00

Mark Johnston 1c732c8591 dummynet: Fix socket option length validation for IP_DUMMYNET3

The socket option handler tries to ensure that the option length is no
larger than some reasonable maximum, and no smaller than sizeof(struct
dn_id).  But the loaded option length is stored in an int, which is
converted to an unsigned integer for the comparison with a size_t, so
negative values are not caught and instead get passed to malloc().

Change the code to use a size_t for the buffer size.

Reviewed by:	kp
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33133

2021-11-29 13:57:24 -05:00

ipfw

dummynet: Fix socket option length validation for IP_DUMMYNET3

2021-11-29 13:57:24 -05:00

pf: add pf_bcmp_state_key

2021-11-28 20:15:45 +01:00