Page MenuHomeFreeBSD

pf: Fix possible out-of-bounds write
ClosedPublic

Authored by kp on Feb 24 2016, 11:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 9, 9:07 PM
Unknown Object (File)
Sun, Nov 3, 3:12 PM
Unknown Object (File)
Oct 26 2024, 7:27 PM
Unknown Object (File)
Oct 19 2024, 8:57 AM
Unknown Object (File)
Sep 19 2024, 1:05 AM
Unknown Object (File)
Sep 8 2024, 8:39 PM
Unknown Object (File)
Aug 23 2024, 7:18 PM
Unknown Object (File)
Aug 23 2024, 7:18 PM
Tokens
"Like" token, awarded by paul_inetstat.net.

Details

Summary
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).

This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.

Reported By: Paul J Murphy <paul@inetstat.net>

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

kp retitled this revision from to pf: Fix possible out-of-bounds write.
kp updated this object.
kp edited the test plan for this revision. (Show Details)
kp set the repository for this revision to rS FreeBSD src repository - subversion.

Looks good to me. When backported to releng/10.2, it fixes bug #192677 for loading large blacklists into spamd.

This revision was automatically updated to reflect the committed changes.