From f2fc809dcd122b7d7d618e7b6c548d89d8a92f91 Mon Sep 17 00:00:00 2001 From: Luiz Otavio O Souza Date: Mon, 17 Aug 2015 23:03:54 +0000 Subject: [PATCH] Fix the copy of addresses passed from userland in table replace command. The size2 is the maximum userland buffer size (used when the addresses are copied back to userland). Obtained from: pfSense MFC after: 3 days Sponsored by: Rubicon Communications (Netgate) --- sys/netpfil/pf/pf_ioctl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index a062401cdfed..ba43de8d37b8 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2724,8 +2724,7 @@ DIOCCHANGEADDR_error: error = ENODEV; break; } - totlen = (io->pfrio_size + io->pfrio_size2) * - sizeof(struct pfr_addr); + totlen = io->pfrio_size * sizeof(struct pfr_addr); pfras = malloc(totlen, M_TEMP, M_WAITOK); error = copyin(io->pfrio_buffer, pfras, totlen); if (error) {