HomeFreeBSD

pf: Validate user string nul-termination before copying

Description

pf: Validate user string nul-termination before copying

Some pf ioctl handlers use strlcpy() to copy strings when converting
from user structures to their in-kernel representations. strlcpy()
ensures that the destination will be nul-terminated, but it assumes that
the source is nul-terminated. In particular, it returns the full length
of the source string, so if the source is not nul-terminated, strlcpy()
will keep scanning until it finds a nul byte, and it may encounter an
unmapped page first. Add a helper to validate user strings before
copying.

There are also places where we look up a ruleset using a user-provided
anchor string. In some ioctl handlers we were already nul-terminating
the string, avoiding the same problem, but in other places we were not.
Fix those by nul-terminating as well. Aside from being consistent,
anchors have a maximum length of MAXPATHLEN - 1 so calling strnlen()
might not be so desirable.

Reported by: syzbot+35a1549b4663e9483dd1@syzkaller.appspotmail.com
Reviewed by: kp
Sponsored by: The FreeBSD Foundation

(cherry picked from commit 64432ad2a2c4b10d3d3411a8ca018e2a35cec97e)

Details

Provenance
markjAuthored on Jul 28 2021, 2:16 PM
Parents
rGec95c1303332: pf: Initialize arrays before copying out to userland
Branches
Unknown
Tags
Unknown