pf: Make tag hashing more robust

tagname2tag() hashes the tag name before truncating it to 63 characters. tag_unref() removes the tag from the name hash by computing the hash over the truncated name. Ensure that both operations compute the same hash for a given tag. The larger issue is a lack of string validation in pf(4) ioctl handlers. This is intended to be fixed with some future work, but an extra safety belt in tagname2hashindex() is worthwhile regardless. Reported by: syzbot+a0988828aafb00de7d68@syzkaller.appspotmail.com Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27346
2020-11-24 16:18:47 +00:00 · 2020-11-24 16:18:47 +00:00 · 5d49283f88
commit 5d49283f88
parent 384d27e04d
1 changed files with 3 additions and 1 deletions
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -512,8 +512,10 @@ pf_cleanup_tagset(struct pf_tagset *ts)
 static uint16_t
 tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
 {
+	size_t len;

-	return (murmur3_32_hash(tagname, strlen(tagname), ts->seed) & ts->mask);
+	len = strnlen(tagname, PF_TAG_NAME_SIZE - 1);
+	return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask);
 }

 static uint16_t