git: f8d1f2da0922 - stable/12 - pf: Slightly relax pf_rule_addr validation
Kristof Provost
kp at FreeBSD.org
Wed Feb 17 13:06:12 UTC 2021
The branch stable/12 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=f8d1f2da0922fdff846b13baa7315652b43aa95c
commit f8d1f2da0922fdff846b13baa7315652b43aa95c
Author: Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit: Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-02-17 09:11:19 +0000
pf: Slightly relax pf_rule_addr validation
Ensure we don't reject no-route / urpf-failed addresses.
PR: 253479
Reported by: michal AT microwave.sk
Revied by: donner@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28650
(cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
---
sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index bbb9cfe39586..edf147699235 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1558,9 +1558,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
}
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+ switch (addr->addr.type) {
+ case PF_ADDR_ADDRMASK:
+ case PF_ADDR_NOROUTE:
+ case PF_ADDR_DYNIFTL:
+ case PF_ADDR_TABLE:
+ case PF_ADDR_URPFFAILED:
+ case PF_ADDR_RANGE:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ if (addr->addr.p.dyn != NULL) {
+ return (EINVAL);
+ }
+
+ return (0);
+}
+
static int
pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
{
+ int ret;
#ifndef INET
if (rule->af == AF_INET) {
@@ -1573,23 +1597,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
}
#endif /* INET6 */
- if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
- rule->src.addr.type != PF_ADDR_DYNIFTL &&
- rule->src.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->src.addr.p.dyn != NULL) {
- return (EINVAL);
- }
-
- if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
- rule->dst.addr.type != PF_ADDR_DYNIFTL &&
- rule->dst.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->dst.addr.p.dyn != NULL) {
- return (EINVAL);
- }
+ ret = pf_check_rule_addr(&rule->src);
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_rule_addr(&rule->dst);
+ if (ret != 0)
+ return (ret);
bzero(krule, sizeof(*krule));
More information about the dev-commits-src-all
mailing list