The routing table index rtableid has type unsigned int in the routing

code.  In pf rtableid == -1 means don't change the rtableid because
of this rule.  So it has to be signed int there.  Before the value
is passed from pf to route it is always checked to be >= 0.  Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work.  Otherwise -1 may be used as an array index and
the kernel crashes.

ok henning@

4 files changed, 11 insertions, 11 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index f49d9288271..2c68a807512 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.647 2009/04/30 12:54:32 henning Exp $ */
+/*	$OpenBSD: pf.c,v 1.648 2009/05/18 20:37:13 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -154,9 +154,9 @@ void			 pf_send_tcp(const struct pf_rule *, sa_family_t,
 			    u_int16_t, u_int16_t, u_int32_t, u_int32_t,
 			    u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
 			    u_int16_t, struct ether_header *, struct ifnet *,
-			    u_int);
+			    int);
 void			 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
-			    sa_family_t, struct pf_rule *, u_int);
+			    sa_family_t, struct pf_rule *, int);
 void			 pf_detach_state(struct pf_state *);
 void			 pf_state_key_detach(struct pf_state *, int);
 u_int32_t		 pf_tcp_iss(struct pf_pdesc *);
@@ -1878,7 +1878,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
     const struct pf_addr *saddr, const struct pf_addr *daddr,
     u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
     u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
-    u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp, u_int rtableid)
+    u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp, int rtableid)
 {
 	struct mbuf	*m;
 	int		 len, tlen;
@@ -2032,7 +2032,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
 
 void
 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
-    struct pf_rule *r, u_int rtableid)
+    struct pf_rule *r, int rtableid)
 {
 	struct mbuf	*m0;
 
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 9952de3cf69..d60d52983c4 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.285 2009/04/06 12:05:55 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.286 2009/05/18 20:37:13 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -796,7 +796,7 @@ struct pf_state {
 	/* XXX */
 	u_int8_t		 sync_updates;
 
-	int16_t			 rtableid;
+	int			 rtableid;
 	u_int8_t		 min_ttl;
 	u_int8_t		 set_tos;
 	u_int16_t		 max_mss;
diff --git a/sys/net/route.c b/sys/net/route.c
index 4cfa782c63a..ae49455f943 100644
--- a/sys/net/route.c
+++ b/sys/net/route.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: route.c,v 1.105 2009/03/15 19:40:41 miod Exp $	*/
+/*	$OpenBSD: route.c,v 1.106 2009/05/18 20:37:13 bluhm Exp $	*/
 /*	$NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $	*/
 
 /*
@@ -1300,7 +1300,7 @@ rt_gettable(sa_family_t af, u_int id)
 }
 
 struct radix_node *
-rt_lookup(struct sockaddr *dst, struct sockaddr *mask, int tableid)
+rt_lookup(struct sockaddr *dst, struct sockaddr *mask, u_int tableid)
 {
 	struct radix_node_head	*rnh;
 
diff --git a/sys/net/route.h b/sys/net/route.h
index b24598624ab..cb151fdfee3 100644
--- a/sys/net/route.h
+++ b/sys/net/route.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: route.h,v 1.60 2009/03/31 01:31:26 dlg Exp $	*/
+/*	$OpenBSD: route.h,v 1.61 2009/05/18 20:37:13 bluhm Exp $	*/
 /*	$NetBSD: route.h,v 1.9 1996/02/13 22:00:49 christos Exp $	*/
 
 /*
@@ -430,6 +430,6 @@ void	 rt_if_track(struct ifnet *);
 int	 rtdeletemsg(struct rtentry *, u_int);
 
 struct radix_node_head	*rt_gettable(sa_family_t, u_int);
-struct radix_node	*rt_lookup(struct sockaddr *, struct sockaddr *, int);
+struct radix_node	*rt_lookup(struct sockaddr *, struct sockaddr *, u_int);
 #endif /* _KERNEL */
 #endif /* _NET_ROUTE_H_ */