summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sbin/pfctl/parse.y6
-rw-r--r--sys/net/pf_ioctl.c24
2 files changed, 27 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index ed259dfa565..26027e3841b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.705 2020/12/07 08:29:41 sashan Exp $ */
+/* $OpenBSD: parse.y,v 1.706 2020/12/16 18:00:44 kn Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -4615,8 +4615,10 @@ apply_redirspec(struct pf_pool *rpool, struct pf_rule *r, struct redirspec *rs,
if (!rs->rdr->rport.b && rs->rdr->rport.t) {
rpool->proxy_port[1] = ntohs(rs->rdr->rport.a) +
(ntohs(np->port[1]) - ntohs(np->port[0]));
- } else
+ } else {
+ rpool->port_op = rs->rdr->rport.t;
rpool->proxy_port[1] = ntohs(rs->rdr->rport.b);
+ }
} else {
rpool->proxy_port[1] = ntohs(rs->rdr->rport.b);
if (!rpool->proxy_port[0] && !rpool->proxy_port[1]) {
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 27315239807..afa40bb677b 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.360 2020/10/22 12:25:20 sashan Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.361 2020/12/16 18:00:44 kn Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -107,6 +107,7 @@ int pf_kif_setup(char *, struct pfi_kif **);
void pf_addr_copyout(struct pf_addr_wrap *);
void pf_trans_set_commit(void);
void pf_pool_copyin(struct pf_pool *, struct pf_pool *);
+int pf_validate_range(u_int8_t, u_int16_t[2]);
int pf_rule_copyin(struct pf_rule *, struct pf_rule *,
struct pf_ruleset *);
u_int16_t pf_qname2qid(char *, int);
@@ -2944,6 +2945,19 @@ pf_pool_copyin(struct pf_pool *from, struct pf_pool *to)
}
int
+pf_validate_range(u_int8_t op, u_int16_t port[2])
+{
+ u_int16_t a = ntohs(port[0]);
+ u_int16_t b = ntohs(port[1]);
+
+ if ((op == PF_OP_RRG && a > b) || /* 34:12, i.e. none */
+ (op == PF_OP_IRG && a >= b) || /* 34><12, i.e. none */
+ (op == PF_OP_XRG && a > b)) /* 34<>22, i.e. all */
+ return 1;
+ return 0;
+}
+
+int
pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
struct pf_ruleset *ruleset)
{
@@ -2954,6 +2968,11 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
to->dst = from->dst;
to->dst.addr.p.tbl = NULL;
+ if (pf_validate_range(to->src.port_op, to->src.port))
+ return (EINVAL);
+ if (pf_validate_range(to->dst.port_op, to->dst.port))
+ return (EINVAL);
+
/* XXX union skip[] */
strlcpy(to->label, from->label, sizeof(to->label));
@@ -2971,6 +2990,9 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
pf_pool_copyin(&from->rdr, &to->rdr);
pf_pool_copyin(&from->route, &to->route);
+ if (pf_validate_range(to->rdr.port_op, to->rdr.proxy_port))
+ return (EINVAL);
+
if (pf_kif_setup(to->ifname, &to->kif))
return (EINVAL);
if (pf_kif_setup(to->rcv_ifname, &to->rcv_kif))
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-04 20:29:19 +0000