CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

projects / FreeBSD / FreeBSD.git / commit

author	Kristof Provost <kp@FreeBSD.org>
	Wed, 24 Apr 2019 14:08:14 +0000 (14:08 +0000)
committer	Kristof Provost <kp@FreeBSD.org>
	Wed, 24 Apr 2019 14:08:14 +0000 (14:08 +0000)
commit	0893d1c2b79bc1609841ecea85a0ed2dd9a72cfa
tree	cbd6a497a76089c939ea2780750e1464784c8d94	tree \| snapshot
parent	ea204bf0af358bde647b3f882238ce4a17b42826	commit \| diff

MFC r346319:

pf: Fix panic on invalid DIOCRSETTFLAGS

If during DIOCRSETTFLAGS pfrio_buffer is NULL copyin() will fault, which we're
not allowed to do with a lock held.
We must count the number of entries in the table and release the lock during
copyin(). Only then can we re-acquire the lock. Note that this is safe, because
pfr_set_tflags() will check if the table and entries exist.

This was discovered by a local syzcaller instance.

sys/netpfil/pf/pf_ioctl.c

diff | blob | history

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom