git: 81cac0d2f603 - main - pf: add missing input/error validation for DIOCGETETHRULE

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 30 Mar 2022 09:17:24 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=81cac0d2f6035e02430fcdfa0ac8a081a9343f8d

commit 81cac0d2f6035e02430fcdfa0ac8a081a9343f8d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-03-29 12:17:12 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-30 08:28:19 +0000

    pf: add missing input/error validation for DIOCGETETHRULE
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_ioctl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 3cb5552d20c5..eae7b3bf1fa0 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2672,6 +2672,9 @@ DIOCGETETHRULES_error:
 
 #define ERROUT(x)	do { error = (x); goto DIOCGETETHRULE_error; } while (0)
 
+		if (nv->len > pf_ioctl_maxcount)
+			ERROUT(ENOMEM);
+
 		nvlpacked = malloc(nv->len, M_TEMP, M_WAITOK);
 		if (nvlpacked == NULL)
 			ERROUT(ENOMEM);
@@ -2681,6 +2684,8 @@ DIOCGETETHRULES_error:
 			ERROUT(error);
 
 		nvl = nvlist_unpack(nvlpacked, nv->len, 0);
+		if (nvl == NULL)
+			ERROUT(EBADMSG);
 		if (! nvlist_exists_number(nvl, "ticket"))
 			ERROUT(EBADMSG);
 		ticket = nvlist_get_number(nvl, "ticket");