Page MenuHomeFreeBSD
Differential D28362

pf: Improve pf_rule input validation
ClosedPublic
Actions

Authored by kp on Jan 26 2021, 7:31 PM.
Tags
None
Referenced Files
F134027659: D28362.id.diff
Thu, Oct 30, 3:41 AM
Unknown Object (File)
Wed, Oct 29, 10:45 AM
Unknown Object (File)
Wed, Oct 29, 10:42 AM
Unknown Object (File)
Wed, Oct 29, 10:25 AM
Unknown Object (File)
Wed, Oct 29, 10:23 AM
Unknown Object (File)
Wed, Oct 29, 10:23 AM
Unknown Object (File)
Wed, Oct 29, 10:22 AM
Unknown Object (File)
Wed, Oct 29, 5:39 AM
View All Files
Subscribers
donner
farrokhi
imp
melifaro
tuexen

Details

Reviewers
tuexen
donner
Group Reviewers
network
Commits
rG71abbe15d01f: pf: Improve pf_rule input validation
rG18697b446b95: pf: Improve pf_rule input validation
rG7a808c5ee329: pf: Improve pf_rule input validation
Summary

Move the validation checks to pf_rule_to_krule() to reduce duplication.
This also makes the checks consistent across different ioctls.

MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Jan 26 2021, 7:31 PM
Herald added subscribers: melifaro, farrokhi, imp. · View Herald TranscriptJan 26 2021, 7:31 PM
kp requested review of this revision.Jan 26 2021, 7:31 PM
Harbormaster completed remote builds in B36518: Diff 82942.Jan 26 2021, 7:31 PM
donner added a subscriber: donner.Jan 26 2021, 8:21 PM
donner added inline comments.
sys/netpfil/pf/pf_ioctl.c
1564–1574

I'd reverse this logic.

#ifdef INET
     if (rule->af == AF_INET)     ;
     else
#endif
#ifdef INET6
     if (rule->af == AF_INET6)    ;
     else
#endif
      return (EAFNOSUPPORT);

So each family only tests it's own positive case. And all other families fail automatically.
But your approach has the charm, that it does not generate any code, if all families are supported.

donner added inline comments.Jan 26 2021, 8:28 PM
sys/netpfil/pf/pf_ioctl.c
1564–1574

Even more clever approach

switch (rule->af) {
#ifdef INET
    case AF_INET: break;
#endif
#ifdef INET6
    case AF_INET6: break;
#endif
    default: return (EAFNOSUPPORT);
}
tuexen accepted this revision.Jan 27 2021, 9:19 AM
tuexen added a subscriber: tuexen.

I tested the patch. It fixes: panic: pfi_dynaddr_setup: non-NULL dyn (2).

This revision is now accepted and ready to land.Jan 27 2021, 9:19 AM
kp marked an inline comment as done.Jan 27 2021, 2:17 PM
kp added inline comments.
sys/netpfil/pf/pf_ioctl.c
1564–1574

I like the suggestion, but it turns out not to work. We don't always specify an address family (i.e. rule->af can be 0)

donner accepted this revision as: donner.Jan 27 2021, 2:38 PM

Okay.

Closed by commit rG7a808c5ee329: pf: Improve pf_rule input validation (authored by kp). · Explain WhyJan 27 2021, 4:42 PM
This revision was automatically updated to reflect the committed changes.
kp marked an inline comment as done.
kp added a commit: rG7a808c5ee329: pf: Improve pf_rule input validation.
kp added a commit: rG18697b446b95: pf: Improve pf_rule input validation.Feb 3 2021, 2:20 PM
kp added a commit: rG71abbe15d01f: pf: Improve pf_rule input validation.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
72 lines

Diff 82981

View Options

sys/netpfil/pf/pf_ioctl.c

Loading...