Commit three imported bugfixes from OpenBSD 3.4-stable:

- change pf_get_pool() argument rule_number type from u_int32_t to u_int8_t, fixes corruption of address pools with large rulesets (mcbride@) - prevent endless loops with route-to (dhartmei@) - limit option length to 2 octets max (frantzen@) Obtained from: OpenBSD Approved by: mlaier(mentor), bms(mentor)
2004-05-02 20:47:24 +00:00 · 2004-05-02 20:47:24 +00:00 · 56d46e84bd
commit 56d46e84bd
parent 381147f827
3 changed files with 16 additions and 19 deletions
--- a/sys/contrib/pf/net/pf.c
+++ b/sys/contrib/pf/net/pf.c
@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: pf.c,v 1.389.2.3 2004/04/10 09:38:19 brad Exp $ */
+/*	$OpenBSD: pf.c,v 1.389.2.4 2004/04/30 23:27:57 brad Exp $ */

 /*
 * Copyright (c) 2001 Daniel Hartmeier
@ -5049,17 +5049,14 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 	if (ifp == NULL)
 		goto bad;

-	mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL);
-	if (mtag == NULL) {
-		struct m_tag *mtag;
+	if (m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL) != NULL)
+		goto bad;
+	mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT);
+	if (mtag == NULL)
+		goto bad;
+	m_tag_prepend(m0, mtag);

-		mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT);
-		if (mtag == NULL)
-			goto bad;
-		m_tag_prepend(m0, mtag);
-	}
-
-	if (oifp != ifp && mtag == NULL) {
+	if (oifp != ifp) {
 #ifdef __FreeBSD__
 		PF_UNLOCK();
 		if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) {
--- a/sys/contrib/pf/net/pf_ioctl.c
+++ b/sys/contrib/pf/net/pf_ioctl.c
@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: pf_ioctl.c,v 1.81.2.1 2004/03/28 01:34:15 brad Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.81.2.2 2004/04/30 23:28:58 brad Exp $ */

 /*
 * Copyright (c) 2001 Daniel Hartmeier
@ -106,7 +106,7 @@ int			 pfopen(dev_t, int, int, struct proc *);
 int			 pfclose(dev_t, int, int, struct proc *);
 #endif
 struct pf_pool		*pf_get_pool(char *, char *, u_int32_t,
-			    u_int8_t, u_int8_t, u_int8_t, u_int8_t, u_int8_t);
+			    u_int8_t, u_int32_t, u_int8_t, u_int8_t, u_int8_t);
 int			 pf_get_ruleset_number(u_int8_t);
 void			 pf_init_ruleset(struct pf_ruleset *);
 void			 pf_mv_pool(struct pf_palist *, struct pf_palist *);
@ -449,7 +449,7 @@ pfclose(dev_t dev, int flags, int fmt, struct proc *p)

 struct pf_pool *
 pf_get_pool(char *anchorname, char *rulesetname, u_int32_t ticket,
-    u_int8_t rule_action, u_int8_t rule_number, u_int8_t r_last,
+    u_int8_t rule_action, u_int32_t rule_number, u_int8_t r_last,
    u_int8_t active, u_int8_t check_ticket)
 {
 	struct pf_ruleset	*ruleset;
--- a/sys/contrib/pf/net/pf_norm.c
+++ b/sys/contrib/pf/net/pf_norm.c
@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: pf_norm.c,v 1.75 2003/08/29 01:49:08 dhartmei Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.75.2.1 2004/04/30 23:28:36 brad Exp $ */

 /*
 * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@ -1535,8 +1535,8 @@ pf_normalize_tcp_init(struct mbuf *m, int off, struct pf_pdesc *pd,
 				}
 				/* FALLTHROUGH */
 			default:
-				hlen -= opt[1];
-				opt += opt[1];
+				hlen -= MAX(opt[1], 2);
+				opt += MAX(opt[1], 2);
 				break;
 			}
 		}
@ -1649,8 +1649,8 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
 				}
 				/* FALLTHROUGH */
 			default:
-				hlen -= opt[1];
-				opt += opt[1];
+				hlen -= MAX(opt[1], 2);
+				opt += MAX(opt[1], 2);
 				break;
 			}
 		}