CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

projects / FreeBSD / FreeBSD.git / commit

author	kp <kp@FreeBSD.org>
	Wed, 24 Apr 2019 14:08:16 +0000 (14:08 +0000)
committer	kp <kp@FreeBSD.org>
	Wed, 24 Apr 2019 14:08:16 +0000 (14:08 +0000)
commit	39f99c05c46f525ee99285198fd014df1afd08d7
tree	e9b9b166e45593ad6a44465eae60977854575327	tree \| snapshot
parent	6b4d40385ef4cff34079ed25e5294dcf0125945a	commit \| diff

MFC r346319:

pf: Fix panic on invalid DIOCRSETTFLAGS

If during DIOCRSETTFLAGS pfrio_buffer is NULL copyin() will fault, which we're
not allowed to do with a lock held.
We must count the number of entries in the table and release the lock during
copyin(). Only then can we re-acquire the lock. Note that this is safe, because
pfr_set_tflags() will check if the table and entries exist.

This was discovered by a local syzcaller instance.

sys/netpfil/pf/pf_ioctl.c

diff | blob | history

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom