diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2021-12-16 02:02:00 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2021-12-16 02:02:00 +0000 |
| commit | 33678eeed7cff7270a229a7ff9b25c06be7aa10d (patch) | |
| tree | 2b2026c57ccc0eabc59203840509d05b52566971 | |
| parent | 46af39fe24ac4f08f1db3781001e54baaf1de786 (diff) | |
fix zero division found by syzkaller. The sanity checks in pf(4) ioctls
are not powerful enough to detect invalid port ranges (or even invalid
rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some
random chunk of memory as a rule to pf(4). Fix adds explicit check
for 0 divider to pf_get_transaddr(). It should make syzkaller happy
without disturbing anyone else.
OK gnezdo@
Reported-by: syzbot+d1f00da48fa717e171f3@syzkaller.appspotmail.com
| -rw-r--r-- | sys/net/pf_lb.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c index 2f74762986e..65f70ef9102 100644 --- a/sys/net/pf_lb.c +++ b/sys/net/pf_lb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_lb.c,v 1.68 2020/12/12 22:59:21 jan Exp $ */ +/* $OpenBSD: pf_lb.c,v 1.69 2021/12/16 02:01:59 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -706,11 +706,12 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, nport = 0; if (r->rdr.proxy_port[1]) { u_int32_t tmp_nport; + u_int16_t div; - tmp_nport = ((ntohs(pd->ndport) - - ntohs(r->dst.port[0])) % - (r->rdr.proxy_port[1] - - r->rdr.proxy_port[0] + 1)) + + div = r->rdr.proxy_port[1] - r->rdr.proxy_port[0] + 1; + div = (div == 0) ? 1 : div; + + tmp_nport = ((ntohs(pd->ndport) - ntohs(r->dst.port[0])) % div) + r->rdr.proxy_port[0]; /* wrap around if necessary */ |