]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: eed5146) | patch
MFC r327675
authorkp <kp@FreeBSD.org>
Tue, 23 Jan 2018 04:30:46 +0000 (04:30 +0000)
committerkp <kp@FreeBSD.org>
Tue, 23 Jan 2018 04:30:46 +0000 (04:30 +0000)
commit629392b06dd0cb278e113112a44a62a706d8f0c3
tree27e854e8e99632ba6ca295f5c94f441786896526tree | snapshot
parenteed5146f6d321779c6dbc469b5188dafcc08c652commit | diff
MFC r327675

pf: Avoid integer overflow issues by using mallocarray() iso. malloc()

pfioctl() handles several ioctl that takes variable length input, these
include:
- DIOCRADDTABLES
- DIOCRDELTABLES
- DIOCRGETTABLES
- DIOCRGETTSTATS
- DIOCRCLRTSTATS
- DIOCRSETTFLAGS

All of them take a pfioc_table struct as input from userland. One of
its elements (pfrio_size) is used in a buffer length calculation.
The calculation contains an integer overflow which if triggered can lead
to out of bound reads and writes later on.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
sys/netpfil/pf/pf_ioctl.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.