pf: Do not allow negative ps_len in DIOCGETSTATES
ClosedPublic
Actions

Authored by kp on Apr 16 2020, 7:29 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sun, Apr 5, 1:46 PM

	Unknown Object (File)
	Sat, Apr 4, 2:43 PM

	Unknown Object (File)
	Sat, Apr 4, 12:54 AM

	Unknown Object (File)
	Wed, Apr 1, 7:40 AM

	Unknown Object (File)
	Sun, Mar 29, 5:24 PM

	Unknown Object (File)
	Sun, Mar 29, 3:04 PM

	Unknown Object (File)
	Sun, Mar 29, 7:59 AM

	Unknown Object (File)
	Sat, Mar 28, 6:01 PM

Subscribers

Details

Reviewers

donner

Group Reviewers

network

Commits

rS360042: pf: Do not allow negative ps_len in DIOCGETSTATES

Summary

Userspace may pass a negative ps_len value to us, which causes an
assertion failure in malloc().
Treat negative values as zero, i.e. return the required size.

Reported-by: syzbot+53370d9d0358ee2a059a@syzkaller.appspotmail.com

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Apr 16 2020, 7:29 PM

Herald added subscribers: melifaro, farrokhi. · View Herald TranscriptApr 16 2020, 7:29 PM

Harbormaster completed remote builds in B30536: Diff 70652.Apr 16 2020, 7:29 PM

donner accepted this revision as: donner.Apr 16 2020, 8:32 PM

This revision is now accepted and ready to land.Apr 16 2020, 8:32 PM

Closed by commit rS360042: pf: Do not allow negative ps_len in DIOCGETSTATES (authored by kp). · Explain WhyApr 17 2020, 2:35 PM

This revision was automatically updated to reflect the committed changes.

kp added a commit: rS360042: pf: Do not allow negative ps_len in DIOCGETSTATES.

Herald added a subscriber: imp. · View Herald TranscriptApr 17 2020, 2:35 PM

Revision Contents
Changeset List

Path

Size

head/

sys/

netpfil/

pf/

pf_ioctl.c

2 lines

Diff 70688

View Options

head/sys/netpfil/pf/pf_ioctl.c

pf: Do not allow negative ps_len in DIOCGETSTATESClosedPublicActions