Differential D33132

dummynet: Avoid an out-of-bounds read in do_config()
ClosedPublic
Actions

Authored by markj on Nov 26 2021, 4:01 PM.

Tags

None

Referenced Files

	F131806880: D33132.diff
	Sat, Oct 11, 8:03 AM

	Unknown Object (File)
	Sat, Sep 20, 6:19 AM

	Unknown Object (File)
	Thu, Sep 18, 12:12 AM

	Unknown Object (File)
	Fri, Sep 12, 2:20 PM

	Unknown Object (File)
	Sep 9 2025, 6:53 PM

	Unknown Object (File)
	Aug 30 2025, 1:24 AM

	Unknown Object (File)
	Aug 28 2025, 12:07 AM

	Unknown Object (File)
	Aug 27 2025, 12:40 PM

View All 81 Files

Subscribers

Details

Reviewers

Commits

rGd5ea04ee7ba6: dummynet: Avoid an out-of-bounds read in do_config()

Summary

do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.

Restructure the loop to avoid this.

Reported by: Jenkins (KASAN job)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Nov 26 2021, 4:01 PM

Herald added subscribers: glebius, donner, melifaro and 2 others. · View Herald TranscriptNov 26 2021, 4:01 PM

markj requested review of this revision.Nov 26 2021, 4:01 PM

markj added a child revision: D33133: dummynet: Fix socket option length validation for IP_DUMMYNET3.

Harbormaster completed remote builds in B42981: Diff 99056.Nov 26 2021, 4:02 PM

kp accepted this revision.Nov 27 2021, 4:40 PM

This revision is now accepted and ready to land.Nov 27 2021, 4:40 PM

Closed by commit rGd5ea04ee7ba6: dummynet: Avoid an out-of-bounds read in do_config() (authored by markj). · Explain WhyNov 29 2021, 6:58 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGd5ea04ee7ba6: dummynet: Avoid an out-of-bounds read in do_config().

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfw/

4 lines

Diff 99170

sys/netpfil/ipfw/ip_dummynet.c

Loading...