svn commit: r343554 - stable/11/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Tue Jan 29 17:49:39 2019
New Revision: 343554
URL: https://svnweb.freebsd.org/changeset/base/343554

Log:
  MFC r343295:
  
  pf: Validate psn_len in DIOCGETSRCNODES
  
  psn_len is controlled by user space, but we allocated memory based on it.
  Check how much memory we might need at most (i.e. how many source nodes we
  have) and limit the allocation to that.
  
  Reported by:	markj

Modified:
  stable/11/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf_ioctl.c	Tue Jan 29 17:49:38 2019	(r343553)
+++ stable/11/sys/netpfil/pf/pf_ioctl.c	Tue Jan 29 17:49:39 2019	(r343554)
@@ -3310,14 +3310,18 @@ DIOCCHANGEADDR_error:
 		struct pf_src_node	*n, *p, *pstore;
 		uint32_t		 i, nr = 0;
 
+		for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
+				i++, sh++) {
+			PF_HASHROW_LOCK(sh);
+			LIST_FOREACH(n, &sh->nodes, entry)
+				nr++;
+			PF_HASHROW_UNLOCK(sh);
+		}
+
+		psn->psn_len = min(psn->psn_len,
+		    sizeof(struct pf_src_node) * nr);
+
 		if (psn->psn_len == 0) {
-			for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
-			    i++, sh++) {
-				PF_HASHROW_LOCK(sh);
-				LIST_FOREACH(n, &sh->nodes, entry)
-					nr++;
-				PF_HASHROW_UNLOCK(sh);
-			}
 			psn->psn_len = sizeof(struct pf_src_node) * nr;
 			break;
 		}