[Bug 208985] DoS / heap overflow in bpf_stats_sysctl

Sun Apr 24 03:01:36 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208985

csjp at sqrt.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |csjp at sqrt.ca

--- Comment #2 from csjp at sqrt.ca ---

This thought had crossed my mind when I implemented this. This is one of the
reasons I don't like the sysctl(2) interface for this sort of thing. It's also
subject to race conditions when the number of BPF descriptors change after the
size calculation but before we retrieve the data.

The main reason I didn't bound check the size was for two reasons: the amount
of data to allocate is a function of the number of BPF descriptors that are
allocated. There isn't a limit on this (outside of the file descriptor
limitations).

The second reason you point out, is this operation requires privilege. The
reason I make the statement in the comment is because although by default only
root can open this device, it is possible (though not very likely) that the
permissions were changed on the underlying BPF device node, resulting in a BPF
descriptor being created by somebody who wasn't root.

I don't believe the patch as written is correct either, because there is no
connection to this value and the number of descriptors which could be in use at
the time the stats are retrieved. Having said that, I don't think its a bad
idea to bounds check this value either.

-- 
You are receiving this mail because:
You are the assignee for the bug.