Validate pfra_type after copyin before using it to index an array

Don't trust the value of pfra_type blindly since it's coming from
userland and sanitize it in pfr_validate_addr that is called after
every copyin and also perform the check in pfr_create_kentry before
we attempt to use the value not after.

Coverity CID 1452909, 1453097, 1453384; Severity: Minor
It can be triggered only by root by default or anyone with write
access to /dev/pf if such access is provided.

ok visa, bcook, sashan, jsg

1 files changed, 6 insertions, 4 deletions

diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c
index 7666ec7013c..bc93e8709ac 100644
--- a/sys/net/pf_table.c
+++ b/sys/net/pf_table.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_table.c,v 1.126 2017/05/08 20:24:03 patrick Exp $	*/
+/*	$OpenBSD: pf_table.c,v 1.127 2017/08/16 14:19:57 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -743,6 +743,8 @@ pfr_validate_addr(struct pfr_addr *ad)
 		return (-1);
 	if (ad->pfra_fback)
 		return (-1);
+	if (ad->pfra_type >= PFRKE_MAX)
+		return (-1);
 	return (0);
 }
 
@@ -822,6 +824,9 @@ pfr_create_kentry(struct pfr_addr *ad)
 {
 	struct pfr_kentry_all	*ke;
 
+	if (ad->pfra_type >= PFRKE_MAX)
+		panic("unknown pfra_type %d", ad->pfra_type);
+
 	ke = pool_get(&pfr_kentry_pl[ad->pfra_type], PR_NOWAIT | PR_ZERO);
 	if (ke == NULL)
 		return (NULL);
@@ -844,9 +849,6 @@ pfr_create_kentry(struct pfr_addr *ad)
 		if (ke->pfrke_rkif)
 			pfi_kif_ref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE);
 		break;
-	default:
-		panic("unknown pfrke_type %d", ke->pfrke_type);
-		break;
 	}
 
 	switch (ad->pfra_af) {