svn commit: r296340 - stable/10/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Thu Mar  3 07:16:35 2016
New Revision: 296340
URL: https://svnweb.freebsd.org/changeset/base/296340

Log:
  MFC: r296025:
  
  pf: Fix possible out-of-bounds write
  
  In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
  which is processed in pfr_set_addrs(). At the users request we also provide
  feedback on the deleted addresses, by storing them after the new list
  ('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).
  
  This means we write outside the bounds of the buffer we've just allocated.
  We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
  feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
  pfrio_size though, in which case we'd still read outside of the allocated
  buffer. Instead we allocate the largest of the two values.
  
  Reported By:        Paul J Murphy <paul at inetstat.net>
  PR:         207463
  Approved by:	re (marius)

Modified:
  stable/10/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_ioctl.c	Thu Mar  3 07:07:44 2016	(r296339)
+++ stable/10/sys/netpfil/pf/pf_ioctl.c	Thu Mar  3 07:16:35 2016	(r296340)
@@ -2714,13 +2714,14 @@ DIOCCHANGEADDR_error:
 	case DIOCRSETADDRS: {
 		struct pfioc_table *io = (struct pfioc_table *)addr;
 		struct pfr_addr *pfras;
-		size_t totlen;
+		size_t totlen, count;
 
 		if (io->pfrio_esize != sizeof(struct pfr_addr)) {
 			error = ENODEV;
 			break;
 		}
-		totlen = io->pfrio_size * sizeof(struct pfr_addr);
+		count = max(io->pfrio_size, io->pfrio_size2);
+		totlen = count * sizeof(struct pfr_addr);
 		pfras = malloc(totlen, M_TEMP, M_WAITOK);
 		error = copyin(io->pfrio_buffer, pfras, totlen);
 		if (error) {