Date: Thu, 6 Jun 2024 13:46:07 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: dc3ee89c86d3 - main - pfctl: fix possible out-of-bounds read Message-ID: <202406061346.456Dk7A5010725@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=dc3ee89c86d30cc7a14dce9550bbd4d37c7ff182 commit dc3ee89c86d30cc7a14dce9550bbd4d37c7ff182 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-06-05 21:55:37 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-06-06 13:45:31 +0000 pfctl: fix possible out-of-bounds read Tags in $10 (filter_opts) are not guaranteed to be the maximum possible tag length, so memcpy() can end up reading outside of the allocated buffer. Use strlcpy() instead. Reported by: CheriBSD Event: Kitchener-Waterloo Hackathon 202406 --- sbin/pfctl/parse.y | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 92e6e36f3b23..19e029c881d1 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1230,7 +1230,7 @@ etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fro r.direction = $3; r.quick = $4.quick; if ($10.tag != NULL) - memcpy(&r.tagname, $10.tag, sizeof(r.tagname)); + strlcpy(r.tagname, $10.tag, sizeof(r.tagname)); if ($10.match_tag) if (strlcpy(r.match_tagname, $10.match_tag, PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { @@ -1240,7 +1240,7 @@ etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fro } r.match_tag_not = $10.match_tag_not; if ($10.queues.qname != NULL) - memcpy(&r.qname, $10.queues.qname, sizeof(r.qname)); + strlcpy(r.qname, $10.queues.qname, sizeof(r.qname)); r.dnpipe = $10.dnpipe; r.dnflags = $10.free_flags; if (eth_rule_label(&r, $10.label))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406061346.456Dk7A5010725>