diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2017-07-27 12:09:52 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2017-07-27 12:09:52 +0000 |
commit | 705b311a3dcb3f9ca5ce304e5e0ecde595251acd (patch) | |
tree | 9ba39cc6441474110d8225210969113d00d1b958 | |
parent | e400130b3a704f3c427dc210eb92bf6e4e96773b (diff) |
For pf the anchor is a C string so ensure that the value passed in via ioctl
is correctly NUL terminated.
Reported by Ilja Van Sprundel
With and OK bluhm@
-rw-r--r-- | sys/net/pf_ioctl.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 4661c897487..5993869fe58 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.319 2017/07/19 12:51:30 mikeb Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.320 2017/07/27 12:09:51 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2104,6 +2104,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: bzero(table, sizeof(*table)); @@ -2156,6 +2163,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: bzero(table, sizeof(*table)); @@ -2204,6 +2218,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: rs = pf_find_ruleset(ioe->anchor); @@ -2251,6 +2272,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } + if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == + sizeof(ioe->anchor)) { + free(table, M_TEMP, sizeof(*table)); + free(ioe, M_TEMP, sizeof(*ioe)); + error = ENAMETOOLONG; + goto fail; + } switch (ioe->type) { case PF_TRANS_TABLE: bzero(table, sizeof(*table)); |