git: 81cac0d2f603 - main - pf: add missing input/error validation for DIOCGETETHRULE
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 30 Mar 2022 09:17:24 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=81cac0d2f6035e02430fcdfa0ac8a081a9343f8d commit 81cac0d2f6035e02430fcdfa0ac8a081a9343f8d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-03-29 12:17:12 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-03-30 08:28:19 +0000 pf: add missing input/error validation for DIOCGETETHRULE Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_ioctl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 3cb5552d20c5..eae7b3bf1fa0 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2672,6 +2672,9 @@ DIOCGETETHRULES_error: #define ERROUT(x) do { error = (x); goto DIOCGETETHRULE_error; } while (0) + if (nv->len > pf_ioctl_maxcount) + ERROUT(ENOMEM); + nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK); if (nvlpacked == NULL) ERROUT(ENOMEM); @@ -2681,6 +2684,8 @@ DIOCGETETHRULES_error: ERROUT(error); nvl = nvlist_unpack(nvlpacked, nv->len, 0); + if (nvl == NULL) + ERROUT(EBADMSG); if (! nvlist_exists_number(nvl, "ticket")) ERROUT(EBADMSG); ticket = nvlist_get_number(nvl, "ticket");