]> CyberLeo.Net >> Repos - FreeBSD/stable/10.git/commit
projects / FreeBSD / stable / 10.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 464d00d) | patch
MFC r327675
authorkp <kp@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Tue, 23 Jan 2018 05:03:26 +0000 (05:03 +0000)
committerkp <kp@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Tue, 23 Jan 2018 05:03:26 +0000 (05:03 +0000)
commitf081423c7a68d7ef073d6eef0db04efa8c3e366e
tree6c3d13daede2540518959095365677657089d738tree | snapshot
parent464d00d7bbef1bd811d20a5982cd96e2c406adcdcommit | diff
MFC r327675

pf: Avoid integer overflow issues by using mallocarray() iso. malloc()

pfioctl() handles several ioctl that takes variable length input, these
include:
- DIOCRADDTABLES
- DIOCRDELTABLES
- DIOCRGETTABLES
- DIOCRGETTSTATS
- DIOCRCLRTSTATS
- DIOCRSETTFLAGS

All of them take a pfioc_table struct as input from userland. One of
its elements (pfrio_size) is used in a buffer length calculation.
The calculation contains an integer overflow which if triggered can lead
to out of bound reads and writes later on.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>

git-svn-id: svn://svn.freebsd.org/base/stable/10@328277 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
sys/netpfil/pf/pf_ioctl.c diff | blob | history
10-STABLE