Page MenuHomeFreeBSD
Files F136664888

D53805.id.diff
No OneTemporary
Actions

D53805.id.diff
View Options

diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -956,6 +956,34 @@
*(sp) = htons(sumshort);
}
+/*
+ * Make sure that the string at the specified offset lies within the bounds of
+ * the structure.
+ */
+static int
+check_ipnat_string(ipf_main_softc_t *softc, ipnat_t *nat, int offset)
+{
+ const char *name;
+ size_t len;
+
+ if (offset == -1)
+ return (0);
+ if (offset < 0) {
+ IPFERROR(60077);
+ return (EINVAL);
+ }
+ if (offset > nat->in_namelen) {
+ IPFERROR(60081);
+ return (EINVAL);
+ }
+ name = &nat->in_names[offset];
+ len = strnlen(name, nat->in_namelen - offset);
+ if (len == nat->in_namelen - offset) {
+ IPFERROR(60078);
+ return (EINVAL);
+ }
+ return (0);
+}
/* ------------------------------------------------------------------------ */
/* Function: ipf_nat_ioctl */
@@ -1027,6 +1055,11 @@
error = EINVAL;
goto done;
}
+ if (natd.in_namelen < 0 ||
+ sizeof(natd) + natd.in_namelen != natd.in_size) {
+ error = EINVAL;
+ goto done;
+ }
KMALLOCS(nt, ipnat_t *, natd.in_size);
if (nt == NULL) {
IPFERROR(60070);
@@ -1041,6 +1074,20 @@
nat = nt;
}
+ /*
+ * Validate string offsets.
+ */
+ error = check_ipnat_string(softc, nat, nat->in_ifnames[0]);
+ if (error == 0)
+ error = check_ipnat_string(softc, nat,
+ nat->in_ifnames[1]);
+ if (error == 0)
+ error = check_ipnat_string(softc, nat, nat->in_plabel);
+ if (error == 0)
+ error = check_ipnat_string(softc, nat, nat->in_pconfig);
+ if (error != 0)
+ goto done;
+
/*
* For add/delete, look to see if the NAT entry is
* already present

File Metadata

Mime Type
text/plain
Expires
Wed, Nov 19, 7:36 PM (18 h, 41 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25651448
Default Alt Text
D53805.id.diff (1 KB)

Event Timeline