Page MenuHomeFreeBSD
Files F145077468

D53276.1777348162.diff
No OneTemporary
Actions

Size
2 KB
Referenced Files
None
Subscribers
None

D53276.1777348162.diff
View Options

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -177,6 +177,10 @@
{ 149, "object size validation failed for kernel copyout" },
{ 150, "error copying data out for kernel copyout" },
{ 151, "version mismatch for kernel copyout" },
+ { 152, "negative fr_ifnames" },
+ { 153, "fr_name length incorrect"},
+ { 154, "fr_namelength incorrect"},
+ { 155, "fr_sifpidx is invalid"},
/* -------------------------------------------------------------------------- */
{ 10001, "could not find token for auth iterator" },
{ 10002, "write permissions require to add/remove auth rule" },
@@ -228,8 +232,6 @@
{ 30024, "object size incorrect for hash table" },
{ 30025, "hash table size must be at least 1"},
{ 30026, "cannot allocate memory for hash table context" },
- { 30027, "hash table larger than maximum allowed" },
- { 30028, "hash table multiplication overflow" },
/* -------------------------------------------------------------------------- */
{ 40001, "invalid minor device number for log read" },
{ 40002, "read size too small" },
diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -4408,7 +4408,9 @@
void *ptr, *uptr;
u_int *p, *pp;
frgroup_t *fg;
- char *group;
+ char *group, *name;
+ size_t namelen;
+ int i;
ptr = NULL;
fg = NULL;
@@ -4720,6 +4722,17 @@
break;
}
+ if (fp->fr_namelen > LIFNAMSIZ) {
+ IPFERROR(154);
+ error = EINVAL;
+ }
+ if ((fp->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) {
+ if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > fp->fr_namelen) {
+ IPFERROR(155);
+ error = EINVAL;
+ }
+ }
+
switch (fp->fr_satype)
{
case FRI_BROADCAST :
@@ -4828,6 +4841,19 @@
}
}
+ for (i = 0; i < FR_NUM(fp->fr_ifnames); i++) {
+ if (fp->fr_ifnames[i] < 0) {
+ IPFERROR(152);
+ error = EINVAL;
+ }
+ name = FR_NAME(fp, fr_ifnames[i]);
+ namelen = strnlen(name, LIFNAMSIZ + 1);
+ if (namelen > fp->fr_namelen) {
+ IPFERROR(153);
+ error = EINVAL;
+ }
+ }
+
/*
* Lookup all the interface names that are part of the rule.
*/

File Metadata

Mime Type
text/plain
Expires
Tue, Apr 28, 3:49 AM (4 h, 33 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28445000
Default Alt Text
D53276.1777348162.diff (2 KB)

Event Timeline