Page MenuHomeFreeBSD
Files F135952365

D31169.id92163.diff
No OneTemporary
Actions

D31169.id92163.diff
View Options

Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c
+++ sys/netpfil/pf/pf_ioctl.c
@@ -275,6 +275,13 @@
extern u_long pf_ioctl_maxcount;
+/* Check whether a user-provided string is nul-terminated. */
+static int
+pf_check_ustr(const char *str, size_t sz)
+{
+ return (strnlen(str, sz) >= sz ? EINVAL : 0);
+}
+
static void
pfattach_vnet(void)
{
@@ -1513,14 +1520,20 @@
strlcpy(pool->ifname, kpool->ifname, sizeof(pool->ifname));
}
-static void
+static int
pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
struct pf_kpooladdr *kpool)
{
+ int ret;
+
+ ret = pf_check_ustr(pool->ifname, sizeof(pool->ifname));
+ if (ret != 0)
+ return (ret);
bzero(kpool, sizeof(*kpool));
bcopy(&pool->addr, &kpool->addr, sizeof(kpool->addr));
- strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
+ (void)strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
+ return (0);
}
static void
@@ -1680,19 +1693,42 @@
if (ret != 0)
return (ret);
+ ret = pf_check_ustr(rule->label, sizeof(rule->label));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(rule->ifname, sizeof(rule->ifname));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(rule->qname, sizeof(rule->qname));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(rule->pqname, sizeof(rule->pqname));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(rule->tagname, sizeof(rule->tagname));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(rule->match_tagname, sizeof(rule->match_tagname));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(rule->overload_tblname,
+ sizeof(rule->overload_tblname));
+ if (ret != 0)
+ return (ret);
+
bzero(krule, sizeof(*krule));
bcopy(&rule->src, &krule->src, sizeof(rule->src));
bcopy(&rule->dst, &krule->dst, sizeof(rule->dst));
- strlcpy(krule->label[0], rule->label, sizeof(rule->label));
- strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
- strlcpy(krule->qname, rule->qname, sizeof(rule->qname));
- strlcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
- strlcpy(krule->tagname, rule->tagname, sizeof(rule->tagname));
- strlcpy(krule->match_tagname, rule->match_tagname,
+ (void)strlcpy(krule->label[0], rule->label, sizeof(rule->label));
+ (void)strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
+ (void)strlcpy(krule->qname, rule->qname, sizeof(rule->qname));
+ (void)strlcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
+ (void)strlcpy(krule->tagname, rule->tagname, sizeof(rule->tagname));
+ (void)strlcpy(krule->match_tagname, rule->match_tagname,
sizeof(rule->match_tagname));
- strlcpy(krule->overload_tblname, rule->overload_tblname,
+ (void)strlcpy(krule->overload_tblname, rule->overload_tblname,
sizeof(rule->overload_tblname));
ret = pf_pool_to_kpool(&rule->rpool, &krule->rpool);
@@ -1769,15 +1805,25 @@
pf_state_kill_to_kstate_kill(const struct pfioc_state_kill *psk,
struct pf_kstate_kill *kill)
{
+ int ret;
+
bzero(kill, sizeof(*kill));
+ ret = pf_check_ustr(psk->psk_ifname, sizeof(psk->psk_ifname));
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_ustr(psk->psk_label, sizeof(psk->psk_label));
+ if (ret != 0)
+ return (ret);
+
bcopy(&psk->psk_pfcmp, &kill->psk_pfcmp, sizeof(kill->psk_pfcmp));
kill->psk_af = psk->psk_af;
kill->psk_proto = psk->psk_proto;
bcopy(&psk->psk_src, &kill->psk_src, sizeof(kill->psk_src));
bcopy(&psk->psk_dst, &kill->psk_dst, sizeof(kill->psk_dst));
- strlcpy(kill->psk_ifname, psk->psk_ifname, sizeof(kill->psk_ifname));
- strlcpy(kill->psk_label, psk->psk_label, sizeof(kill->psk_label));
+ (void)strlcpy(kill->psk_ifname, psk->psk_ifname,
+ sizeof(kill->psk_ifname));
+ (void)strlcpy(kill->psk_label, psk->psk_label, sizeof(kill->psk_label));
return (0);
}
@@ -2331,8 +2377,9 @@
struct pf_krule *tail;
int rs_num;
- PF_RULES_WLOCK();
pr->anchor[sizeof(pr->anchor) - 1] = 0;
+
+ PF_RULES_WLOCK();
ruleset = pf_find_kruleset(pr->anchor);
if (ruleset == NULL) {
PF_RULES_WUNLOCK();
@@ -2362,8 +2409,9 @@
struct pf_krule *rule;
int rs_num;
- PF_RULES_WLOCK();
pr->anchor[sizeof(pr->anchor) - 1] = 0;
+
+ PF_RULES_WLOCK();
ruleset = pf_find_kruleset(pr->anchor);
if (ruleset == NULL) {
PF_RULES_WUNLOCK();
@@ -2552,6 +2600,8 @@
u_int32_t nr = 0;
int rs_num;
+ pcr->anchor[sizeof(pcr->anchor) - 1] = 0;
+
if (pcr->action < PF_CHANGE_ADD_HEAD ||
pcr->action > PF_CHANGE_GET_TICKET) {
error = EINVAL;
@@ -2996,8 +3046,11 @@
bzero(V_pf_status.ifname, IFNAMSIZ);
break;
}
+ error = pf_check_ustr(pi->ifname, sizeof(pi->ifname));
+ if (error != 0)
+ break;
PF_RULES_WLOCK();
- strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
+ (void)strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ);
PF_RULES_WUNLOCK();
break;
}
@@ -3163,19 +3216,24 @@
struct pf_ifspeed_v1 ps;
struct ifnet *ifp;
- if (psp->ifname[0] != 0) {
- /* Can we completely trust user-land? */
- strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
- ifp = ifunit(ps.ifname);
- if (ifp != NULL) {
- psp->baudrate32 =
- (u_int32_t)uqmin(ifp->if_baudrate, UINT_MAX);
- if (cmd == DIOCGIFSPEEDV1)
- psp->baudrate = ifp->if_baudrate;
- } else
- error = EINVAL;
- } else
+ error = pf_check_ustr(psp->ifname, sizeof(psp->ifname));
+ if (error != 0)
+ break;
+ if (psp->ifname[0] == '\0') {
+ error = EINVAL;
+ break;
+ }
+
+ (void)strlcpy(ps.ifname, psp->ifname, IFNAMSIZ);
+ ifp = ifunit(ps.ifname);
+ if (ifp != NULL) {
+ psp->baudrate32 =
+ (u_int32_t)uqmin(ifp->if_baudrate, UINT_MAX);
+ if (cmd == DIOCGIFSPEEDV1)
+ psp->baudrate = ifp->if_baudrate;
+ } else {
error = EINVAL;
+ }
break;
}
@@ -3402,7 +3460,9 @@
break;
}
pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
- pf_pooladdr_to_kpooladdr(&pp->addr, pa);
+ error = pf_pooladdr_to_kpooladdr(&pp->addr, pa);
+ if (error != 0)
+ break;
if (pa->ifname[0])
kif = pf_kkif_create(M_WAITOK);
PF_RULES_WLOCK();
@@ -3438,8 +3498,10 @@
struct pf_kpool *pool;
struct pf_kpooladdr *pa;
- PF_RULES_RLOCK();
+ pp->anchor[sizeof(pp->anchor) - 1] = 0;
pp->nr = 0;
+
+ PF_RULES_RLOCK();
pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
pp->r_num, 0, 1, 0);
if (pool == NULL) {
@@ -3459,6 +3521,8 @@
struct pf_kpooladdr *pa;
u_int32_t nr = 0;
+ pp->anchor[sizeof(pp->anchor) - 1] = 0;
+
PF_RULES_RLOCK();
pool = pf_get_kpool(pp->anchor, pp->ticket, pp->r_action,
pp->r_num, 0, 1, 1);
@@ -3490,6 +3554,8 @@
struct pf_kruleset *ruleset;
struct pfi_kkif *kif = NULL;
+ pca->anchor[sizeof(pca->anchor) - 1] = 0;
+
if (pca->action < PF_CHANGE_ADD_HEAD ||
pca->action > PF_CHANGE_REMOVE) {
error = EINVAL;
@@ -3621,8 +3687,9 @@
struct pf_kruleset *ruleset;
struct pf_kanchor *anchor;
- PF_RULES_RLOCK();
pr->path[sizeof(pr->path) - 1] = 0;
+
+ PF_RULES_RLOCK();
if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
PF_RULES_RUNLOCK();
error = ENOENT;
@@ -3649,8 +3716,9 @@
struct pf_kanchor *anchor;
u_int32_t nr = 0;
- PF_RULES_RLOCK();
pr->path[sizeof(pr->path) - 1] = 0;
+
+ PF_RULES_RLOCK();
if ((ruleset = pf_find_kruleset(pr->path)) == NULL) {
PF_RULES_RUNLOCK();
error = ENOENT;
@@ -4227,6 +4295,7 @@
}
PF_RULES_WLOCK();
for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
+ ioe->anchor[sizeof(ioe->anchor) - 1] = '\0';
switch (ioe->rs_num) {
#ifdef ALTQ
case PF_RULESET_ALTQ:
@@ -4300,6 +4369,7 @@
}
PF_RULES_WLOCK();
for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
+ ioe->anchor[sizeof(ioe->anchor) - 1] = '\0';
switch (ioe->rs_num) {
#ifdef ALTQ
case PF_RULESET_ALTQ:
@@ -4376,6 +4446,7 @@
PF_RULES_WLOCK();
/* First makes sure everything will succeed. */
for (i = 0, ioe = ioes; i < io->size; i++, ioe++) {
+ ioe->anchor[sizeof(ioe->anchor) - 1] = 0;
switch (ioe->rs_num) {
#ifdef ALTQ
case PF_RULESET_ALTQ:
@@ -4442,7 +4513,7 @@
struct pfr_table table;
bzero(&table, sizeof(table));
- strlcpy(table.pfrt_anchor, ioe->anchor,
+ (void)strlcpy(table.pfrt_anchor, ioe->anchor,
sizeof(table.pfrt_anchor));
if ((error = pfr_ina_commit(&table,
ioe->ticket, NULL, NULL, 0))) {
Index: sys/netpfil/pf/pf_ruleset.c
===================================================================
--- sys/netpfil/pf/pf_ruleset.c
+++ sys/netpfil/pf/pf_ruleset.c
@@ -177,7 +177,7 @@
p = (char *)rs_malloc(MAXPATHLEN);
if (p == NULL)
return (NULL);
- strlcpy(p, path, MAXPATHLEN);
+ (void)strlcpy(p, path, MAXPATHLEN);
while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
*q = 0;
if ((ruleset = pf_find_kruleset(p)) != NULL) {

File Metadata

Mime Type
text/plain
Expires
Sat, Nov 15, 12:26 PM (7 h, 41 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25326275
Default Alt Text
D31169.id92163.diff (8 KB)

Event Timeline