diff options
| author |   claudio <claudio@openbsd.org> | 2017-07-27 12:09:51 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2017-07-27 12:09:51 +0000 |
| commit | 6b8c64d21d3883285b9541f25c1bc0adbce6f86a (patch) | |
| tree | 39d4e19f03792eec17b91fd035a40a509bfc1eb0 | |
| parent | Stop doing an splsoftnet()/splx() dance inside the NET_LOCK(). (diff) | |
| download | wireguard-openbsd-6b8c64d21d3883285b9541f25c1bc0adbce6f86a.tar.xz wireguard-openbsd-6b8c64d21d3883285b9541f25c1bc0adbce6f86a.zip | |
For pf the anchor is a C string so ensure that the value passed in via ioctl
is correctly NUL terminated.
Reported by Ilja Van Sprundel
With and OK bluhm@
| -rw-r--r-- | sys/net/pf_ioctl.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 4661c897487..5993869fe58 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.319 2017/07/19 12:51:30 mikeb Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.320 2017/07/27 12:09:51 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2104,6 +2104,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: bzero(table, sizeof(*table)); @@ -2156,6 +2163,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: bzero(table, sizeof(*table)); @@ -2204,6 +2218,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: rs = pf_find_ruleset(ioe->anchor); @@ -2251,6 +2272,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: bzero(table, sizeof(*table)); |