pf: Do not allow negative ps_len in DIOCGETSTATES
ClosedPublic
Actions

Authored by kp on Apr 16 2020, 7:29 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Jun 3, 3:50 PM

	Unknown Object (File)
	Wed, May 29, 1:13 AM

	Unknown Object (File)
	Apr 28 2024, 9:51 AM

	Unknown Object (File)
	Apr 27 2024, 6:35 PM

	Unknown Object (File)
	Apr 25 2024, 10:11 AM

	Unknown Object (File)
	Dec 20 2023, 6:57 AM

	Unknown Object (File)
	Aug 25 2023, 8:47 PM

	Unknown Object (File)
	Jul 2 2023, 1:01 PM

Subscribers

Details

Reviewers

donner

Group Reviewers

network

Commits

rS360042: pf: Do not allow negative ps_len in DIOCGETSTATES

Summary

Userspace may pass a negative ps_len value to us, which causes an
assertion failure in malloc().
Treat negative values as zero, i.e. return the required size.

Reported-by: syzbot+53370d9d0358ee2a059a@syzkaller.appspotmail.com

Diff Detail

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 30536
Build 28282: arc lint + arc unit

Event Timeline

kp created this revision.Apr 16 2020, 7:29 PM

Herald added subscribers: melifaro, farrokhi. · View Herald TranscriptApr 16 2020, 7:29 PM

Harbormaster completed remote builds in B30536: Diff 70652.Apr 16 2020, 7:29 PM

donner accepted this revision as: donner.Apr 16 2020, 8:32 PM

This revision is now accepted and ready to land.Apr 16 2020, 8:32 PM

Closed by commit rS360042: pf: Do not allow negative ps_len in DIOCGETSTATES (authored by kp). · Explain WhyApr 17 2020, 2:35 PM

This revision was automatically updated to reflect the committed changes.

kp added a commit: rS360042: pf: Do not allow negative ps_len in DIOCGETSTATES.

Herald added a subscriber: imp. · View Herald TranscriptApr 17 2020, 2:35 PM

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

pf/

pf_ioctl.c

2 lines

Diff 70652

View Options

pf: Do not allow negative ps_len in DIOCGETSTATESClosedPublicActions