freebsd-nq/sys/netpfil/pf
Kristof Provost 14b5e85b18 pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).

This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.

Reported By:	Paul J Murphy <paul@inetstat.net>
PR:		207463
MFC after:	5 days
Differential Revision:	https://reviews.freebsd.org/D5426
2016-02-25 07:33:59 +00:00
..
if_pflog.c Mechanically convert to if_inc_counter(). 2014-09-19 09:19:29 +00:00
if_pfsync.c This fixes several places where callout_stops return is examined. The 2015-11-13 22:51:35 +00:00
in4_cksum.c
pf_altq.h Add ALTQ(9) support for the CoDel algorithm. 2015-08-21 22:02:22 +00:00
pf_if.c Remove sys/eventhandler.h from net/route.h 2016-01-09 09:34:39 +00:00
pf_ioctl.c pf: Fix possible out-of-bounds write 2016-02-25 07:33:59 +00:00
pf_lb.c Do not lookup source node twice when pf_map_addr() is used. 2014-08-15 14:16:08 +00:00
pf_mtag.h ALTQ FAIRQ discipline import from DragonFLY 2015-06-24 19:16:41 +00:00
pf_norm.c pf: Fix TSO issues 2015-10-14 16:21:41 +00:00
pf_osfp.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
pf_ruleset.c Provide includes that are needed in these files, and before were read 2013-10-26 18:18:50 +00:00
pf_table.c MFP r287070,r287073: split radix implementation and route table structure. 2016-01-25 06:33:15 +00:00
pf.c in pf_print_state_parts, do not use skw->proto to print the protocol but our 2016-02-20 12:53:53 +00:00
pf.h In the forwarding case refragment the reassembled packets with the same 2015-02-16 07:01:02 +00:00