From nobody Fri Jul 18 09:53:03 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bk4q41vLnz6259Q; Fri, 18 Jul 2025 09:53:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bk4q40wLYz46Sf; Fri, 18 Jul 2025 09:53:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752832384; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=T+5H/lCmEEr8jQ5fbKMPMmUYHAnTJNs369oG5RbbyVc=; b=KKGl2CvHAOLyRXVSDY2jnbGETc052CAXPwwQTgMbrrVJAu+uLlgSefxToVD4EGktGMqV+1 bp6C9ncrSZQk6VclX1oeb86QQ8A8/EqmZJsXaDhXJLBtrZP4uTNNuRilM9ewLJKzmuypas 4Le/25czkMAtH/Re9QfgnhI6F/orfTpzp1pJywqn1X4GbG0WLqDgiYcrZ/twOK2+fFDcHz 9kksnif28/f9qZEXGBJEF5KtHWN3mJ4IjqcDp6NupvYelN9EYfvzWJT3bIQNEW/00p6Ye9 bIZCXJUYDRObNdcb1dIefhMwJxdmiiesE0PQ9UHp2lmMkw4Fl64Z/tUbFo+nhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752832384; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=T+5H/lCmEEr8jQ5fbKMPMmUYHAnTJNs369oG5RbbyVc=; b=j2gK54FFnexpuLEB5Pa8P2jDcqbzRoAEEPY0G0jnk5Qc4zdmm6ZolxxiO24y5QE+7I1Epg LFXI4n+l3stGzhTLVlUYpeEFI2eWNJ+h7Gu6oUA+ZcTC0rjJUOnVdbBJTP1Kk/RmDLeqcK 1ORMaR8B3BRkcDWAdxH6DajirgccGocXcIX8z6MMSYRHKo077AJO8XuOM4fsLHW2edNKJJ Bx4BBePsyP9liav2MbfD71gKq07NMdu4JVAuIv8mBxpLrmro/KbAXe+SK6bMBOa0x2nB2S k7BWOhOrJSiwF0ZXNEY4SzuO47ohN02BHFBR7dpJShaVuplaq4fqfBbjnk/nvQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752832384; a=rsa-sha256; cv=none; b=Vs0t1GjjElifO8MkRkc3bIRq8botAGo23GQQSWWo042EGG6su9YYtbjk4uPmv1MQZcwr4L TO/U5XhPsjtP3+std8WPOWlIzElqNheHywLMlecmI9kN4r4G21OZkG6YRfihfTEaN6c9+3 Eu4rb0+IoWN4vt4E2ZD8yvXIf1Ec45wB+YYD6bLGbUaj050kcAibMow2iopfI137fFb0Zn Re0QhpvHY2RyHEWtz3V0DOkxALJLMtTVxKoUPF/EMgoXSYBHqb0uFvS2lyu/DGk5qV3QGT cooEc88rppB1TFQ49lxCaHMgBpA5ihQ66n1rxxIqolP6xRiwhL9bVizZPretYw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bk4q40WsQzbjP; Fri, 18 Jul 2025 09:53:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56I9r331046818; Fri, 18 Jul 2025 09:53:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56I9r37Z046815; Fri, 18 Jul 2025 09:53:03 GMT (envelope-from git) Date: Fri, 18 Jul 2025 09:53:03 GMT Message-Id: <202507180953.56I9r37Z046815@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: ec281d797c4f - main - pf: fix zero division found by syzkaller List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ec281d797c4f0b4848c519fae97b5c2c6f368ec5 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ec281d797c4f0b4848c519fae97b5c2c6f368ec5 commit ec281d797c4f0b4848c519fae97b5c2c6f368ec5 Author: Kristof Provost AuthorDate: 2025-07-09 13:14:50 +0000 Commit: Kristof Provost CommitDate: 2025-07-18 07:33:29 +0000 pf: fix zero division found by syzkaller The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else. OK gnezdo@ Reported-by: syzbot+d1f00da48fa717e171f3@syzkaller.appspotmail.com Obtained from: OpenBSD, sashan , 38bfd041cb Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_lb.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 26f7ab41eef4..9c7863bb301e 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -1012,10 +1012,13 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct pf_krule *r, if (rpool->proxy_port[1]) { uint32_t tmp_nport; + uint16_t div; - tmp_nport = ((ntohs(pd->ndport) - ntohs(r->dst.port[0])) % - (rpool->proxy_port[1] - rpool->proxy_port[0] + - 1)) + rpool->proxy_port[0]; + div = r->rdr.proxy_port[1] - r->rdr.proxy_port[0] + 1; + div = (div == 0) ? 1 : div; + + tmp_nport = ((ntohs(pd->ndport) - ntohs(r->dst.port[0])) % div) + + rpool->proxy_port[0]; /* Wrap around if necessary. */ if (tmp_nport > 65535)