From 4040f4ecd66f52c921f6308372d14cb51ed7a10b Mon Sep 17 00:00:00 2001
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Sun, 19 Oct 2014 11:15:19 +0000
Subject: [PATCH] Perform more checks on the number of tables supplied by user.

---
 sys/netpfil/ipfw/ip_fw_table.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/sys/netpfil/ipfw/ip_fw_table.c b/sys/netpfil/ipfw/ip_fw_table.c
index fa92b0ed8d82..045ca27b4ec3 100644
--- a/sys/netpfil/ipfw/ip_fw_table.c
+++ b/sys/netpfil/ipfw/ip_fw_table.c
@@ -1489,6 +1489,21 @@ destroy_table(struct ip_fw_chain *ch, struct tid_info *ti)
 	return (0);
 }
 
+static uint32_t
+roundup2p(uint32_t v)
+{
+
+	v--;
+	v |= v >> 1;
+	v |= v >> 2;
+	v |= v >> 4;
+	v |= v >> 8;
+	v |= v >> 16;
+	v++;
+
+	return (v);
+}
+
 /*
  * Grow tables index.
  *
@@ -1505,8 +1520,12 @@ ipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables)
 	int i, new_blocks;
 
 	/* Check new value for validity */
+	if (ntables == 0)
+		return (EINVAL);
 	if (ntables > IPFW_TABLES_MAX)
 		ntables = IPFW_TABLES_MAX;
+	/* Alight to nearest power of 2 */
+	ntables = (unsigned int)roundup2p(ntables); 
 
 	/* Allocate new pointers */
 	tablestate = malloc(ntables * sizeof(struct table_info),