D53279.diff
No OneTemporary
Actions

Size

1 KB

Referenced Files

None

Subscribers

None

D53279.diff
View Options

	diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
	--- a/sbin/ipf/libipf/interror.c
	+++ b/sbin/ipf/libipf/interror.c
	@@ -357,6 +357,8 @@
	{ 60075, "one object at a time must be copied" },
	{ 60076, "NAT ioctl denied in jail without VNET" },
	{ 60077, "NAT length of interface name is incorrect"},
	+ { 60078, "NAT destination size is too short"},
	+ { 60079, "NAT supplimental destination size is too short"},
	/* -------------------------------------------------------------------------- */
	{ 70001, "incorrect object size to get pool stats" },
	{ 70002, "could not malloc memory for new pool node" },
	diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
	--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
	+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
	@@ -2088,6 +2088,11 @@
	error = ENOMEM;
	goto junkput;
	}
	+ if (sizeof(*aps) > ipn.ipn_dsize) {
	+ IPFERROR(60078);
	+ error = ENOMEM;
	+ goto junkput;
	+ }
	bcopy(ipnn->ipn_data, (char )aps, sizeof(aps));
	if (in != NULL)
	aps->aps_apr = in->in_apr;
	@@ -2105,6 +2110,11 @@
	error = ENOMEM;
	goto junkput;
	}
	+ if ((aps->aps_psiz + sizeof(*aps)) > ipn.ipn_dsize) {
	+ IPFERROR(60079);
	+ error = ENOMEM;
	+ goto junkput;
	+ }
	bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
	aps->aps_psiz);
	} else {