Date: Wed, 9 Jul 2025 08:59:07 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: e97ce7c66ee0 - main - pf: improve DIOCNATLOOK validation Message-ID: <202507090859.5698x7HA044989@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e97ce7c66ee0ab0afe58695b6922ff310262d7c5 commit e97ce7c66ee0ab0afe58695b6922ff310262d7c5 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-07-03 15:23:46 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-07-09 08:57:49 +0000 pf: improve DIOCNATLOOK validation Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel entry instead of calling panic() due to unhandled af. Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com from Benjamin Baier Also validate the direction. Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 4804479228 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_ioctl.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 8a3f311d7d30..737f9ca060c5 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2817,6 +2817,28 @@ pf_ioctl_natlook(struct pfioc_natlook *pnl) (!pnl->dport || !pnl->sport))) return (EINVAL); + switch (pnl->direction) { + case PF_IN: + case PF_OUT: + case PF_INOUT: + break; + default: + return (EINVAL); + } + + switch (pnl->af) { +#ifdef INET + case AF_INET: + break; +#endif /* INET */ +#ifdef INET6 + case AF_INET6: + break; +#endif /* INET6 */ + default: + return (EAFNOSUPPORT); + } + bzero(&key, sizeof(key)); key.af = pnl->af; key.proto = pnl->proto;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507090859.5698x7HA044989>