summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2004-03-28 18:14:21 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2004-03-28 18:14:21 +0000
commit3b0d73d1e3713234c4ba02347261a66532b8792f (patch)
tree19499edf241fec333134e00398f3db099f365146
parent05fddfb6a5fa53dee01222d9f9ba4aa8591eddd7 (diff)
Check variables in incoming packets which can cause problems if they're set
to arbitrary values. Invalid state->timeout can hit a KASSERT in pf, the other ones should be ok but we check them just to make sure. ok dhartmei@ deraadt@
-rw-r--r--sys/net/if_pfsync.c38
1 files changed, 37 insertions, 1 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 1217de2b5ca..e4840ff32d9 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pfsync.c,v 1.25 2004/03/23 09:57:44 mcbride Exp $ */
+/* $OpenBSD: if_pfsync.c,v 1.26 2004/03/28 18:14:20 mcbride Exp $ */
/*
* Copyright (c) 2002 Michael Shalayeff
@@ -343,6 +343,19 @@ pfsync_input(struct mbuf *m, ...)
s = splsoftnet();
for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
i < count; i++, sp++) {
+ /* check for invalid values */
+ if (sp->timeout >= PFTM_MAX ||
+ sp->src.state > PF_TCPS_PROXY_DST ||
+ sp->dst.state > PF_TCPS_PROXY_DST ||
+ sp->direction > PF_OUT ||
+ (sp->af != AF_INET && sp->af != AF_INET6)) {
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync_insert: PFSYNC_ACT_INS: "
+ "invalid value\n");
+ pfsyncstats.pfsyncs_badstate++;
+ continue;
+ }
+
if ((error = pfsync_insert_net_state(sp))) {
if (error == ENOMEM) {
splx(s);
@@ -363,6 +376,17 @@ pfsync_input(struct mbuf *m, ...)
s = splsoftnet();
for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
i < count; i++, sp++) {
+ /* check for invalid values */
+ if (sp->timeout >= PFTM_MAX ||
+ sp->src.state > PF_TCPS_PROXY_DST ||
+ sp->dst.state > PF_TCPS_PROXY_DST) {
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync_insert: PFSYNC_ACT_UPD: "
+ "invalid value\n");
+ pfsyncstats.pfsyncs_badstate++;
+ continue;
+ }
+
bcopy(sp->id, &key.id, sizeof(key.id));
key.creatorid = sp->creatorid;
@@ -426,6 +450,18 @@ pfsync_input(struct mbuf *m, ...)
s = splsoftnet();
for (i = 0, up = (struct pfsync_state_upd *)(mp->m_data + offp);
i < count; i++, up++) {
+ /* check for invalid values */
+ if (up->timeout >= PFTM_MAX ||
+ up->src.state > PF_TCPS_PROXY_DST ||
+ up->dst.state > PF_TCPS_PROXY_DST) {
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync_insert: "
+ "PFSYNC_ACT_UPD_C: "
+ "invalid value\n");
+ pfsyncstats.pfsyncs_badstate++;
+ continue;
+ }
+
bcopy(up->id, &key.id, sizeof(key.id));
key.creatorid = up->creatorid;