d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pf: Validate psn_len in DIOCGETSRCNODES

Browse Source 
psn_len is controlled by user space, but we allocated memory based on it.
Check how much memory we might need at most (i.e. how many source nodes we
have) and limit the allocation to that.

Reported by:	markj
MFC after:	1 week
This commit is contained in:
kp 2019-01-22 02:13:33 +00:00
parent 847d55bb3f
commit 9b4f8892f4
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
sys/netpfil/pf/pf_ioctl.c
View File

@ -3577,14 +3577,18 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
struct pf_src_node *n, *p, *pstore;
uint32_t i, nr = 0;
for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
i++, sh++) {
PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry)
nr++;
PF_HASHROW_UNLOCK(sh);
}
psn->psn_len = min(psn->psn_len,
sizeof(struct pf_src_node) * nr);
if (psn->psn_len == 0) {
for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
i++, sh++) {
PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry)
nr++;
PF_HASHROW_UNLOCK(sh);
}
psn->psn_len = sizeof(struct pf_src_node) * nr;
break;
}