git: 3f1756dabfe2 - stable/13 - dummynet: Avoid an out-of-bounds read in do_config()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 06 Dec 2021 14:04:58 UTC
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=3f1756dabfe263c279c7dc29c54398d95f8b0988
commit 3f1756dabfe263c279c7dc29c54398d95f8b0988
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-11-29 18:50:21 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-12-06 14:04:19 +0000
dummynet: Avoid an out-of-bounds read in do_config()
do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.
Restructure the loop to avoid this.
Reported by: Jenkins (KASAN job)
Reviewed by: kp
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955)
---
sys/netpfil/ipfw/ip_dummynet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c
index d3242fd85817..cee478a03274 100644
--- a/sys/netpfil/ipfw/ip_dummynet.c
+++ b/sys/netpfil/ipfw/ip_dummynet.c
@@ -2011,7 +2011,9 @@ do_config(void *p, int l)
}
arg = NULL;
dn = NULL;
- for (off = 0; l >= sizeof(o); memcpy(&o, (char *)p + off, sizeof(o))) {
+ off = 0;
+ while (l >= sizeof(o)) {
+ memcpy(&o, (char *)p + off, sizeof(o));
if (o.len < sizeof(o) || l < o.len) {
D("bad len o.len %d len %d", o.len, l);
err = EINVAL;