summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2017-07-27 12:09:52 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2017-07-27 12:09:52 +0000
commit705b311a3dcb3f9ca5ce304e5e0ecde595251acd (patch)
tree9ba39cc6441474110d8225210969113d00d1b958 /sys
parente400130b3a704f3c427dc210eb92bf6e4e96773b (diff)
For pf the anchor is a C string so ensure that the value passed in via ioctl
is correctly NUL terminated. Reported by Ilja Van Sprundel With and OK bluhm@
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf_ioctl.c30
1 files changed, 29 insertions, 1 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 4661c897487..5993869fe58 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.319 2017/07/19 12:51:30 mikeb Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.320 2017/07/27 12:09:51 claudio Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2104,6 +2104,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
+ if (strnlen(ioe->anchor, sizeof(ioe->anchor)) ==
+ sizeof(ioe->anchor)) {
+ free(table, M_TEMP, sizeof(*table));
+ free(ioe, M_TEMP, sizeof(*ioe));
+ error = ENAMETOOLONG;
+ goto fail;
+ }
switch (ioe->type) {
case PF_TRANS_TABLE:
bzero(table, sizeof(*table));
@@ -2156,6 +2163,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
+ if (strnlen(ioe->anchor, sizeof(ioe->anchor)) ==
+ sizeof(ioe->anchor)) {
+ free(table, M_TEMP, sizeof(*table));
+ free(ioe, M_TEMP, sizeof(*ioe));
+ error = ENAMETOOLONG;
+ goto fail;
+ }
switch (ioe->type) {
case PF_TRANS_TABLE:
bzero(table, sizeof(*table));
@@ -2204,6 +2218,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
+ if (strnlen(ioe->anchor, sizeof(ioe->anchor)) ==
+ sizeof(ioe->anchor)) {
+ free(table, M_TEMP, sizeof(*table));
+ free(ioe, M_TEMP, sizeof(*ioe));
+ error = ENAMETOOLONG;
+ goto fail;
+ }
switch (ioe->type) {
case PF_TRANS_TABLE:
rs = pf_find_ruleset(ioe->anchor);
@@ -2251,6 +2272,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
+ if (strnlen(ioe->anchor, sizeof(ioe->anchor)) ==
+ sizeof(ioe->anchor)) {
+ free(table, M_TEMP, sizeof(*table));
+ free(ioe, M_TEMP, sizeof(*ioe));
+ error = ENAMETOOLONG;
+ goto fail;
+ }
switch (ioe->type) {
case PF_TRANS_TABLE:
bzero(table, sizeof(*table));