From owner-svn-src-all@freebsd.org  Fri Apr 13 19:23:10 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D822FA10AD;
 Fri, 13 Apr 2018 19:23:10 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1C41971A47;
 Fri, 13 Apr 2018 19:23:06 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6E4F61DF03;
 Fri, 13 Apr 2018 19:23:06 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w3DJN67t018944;
 Fri, 13 Apr 2018 19:23:06 GMT (envelope-from kp@FreeBSD.org)
Received: (from kp@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w3DJN6JZ018943;
 Fri, 13 Apr 2018 19:23:06 GMT (envelope-from kp@FreeBSD.org)
Message-Id: <201804131923.w3DJN6JZ018943@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org
 using -f
From: Kristof Provost <kp@FreeBSD.org>
Date: Fri, 13 Apr 2018 19:23:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r332487 - stable/10/sys/netpfil/pf
X-SVN-Group: stable-10
X-SVN-Commit-Author: kp
X-SVN-Commit-Paths: stable/10/sys/netpfil/pf
X-SVN-Commit-Revision: 332487
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 19:23:10 -0000

Author: kp
Date: Fri Apr 13 19:23:06 2018
New Revision: 332487
URL: https://svnweb.freebsd.org/changeset/base/332487

Log:
  MFC r332101:
  
  pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES
  
  The DIOCRADDTABLES and DIOCRDELTABLES ioctls can process a number of
  tables at a time, and as such try to allocate <number of tables> *
  sizeof(struct pfr_table). This multiplication can overflow. Thanks to
  mallocarray() this is not exploitable, but an overflow does panic the
  system.
  
  Arbitrarily limit this to 65535 tables. pfctl only ever processes one
  table at a time, so it presents no issues there.

Modified:
  stable/10/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_ioctl.c	Fri Apr 13 19:23:01 2018	(r332486)
+++ stable/10/sys/netpfil/pf/pf_ioctl.c	Fri Apr 13 19:23:06 2018	(r332487)
@@ -83,6 +83,8 @@ __FBSDID("$FreeBSD$");
 #include <altq/altq.h>
 #endif
 
+#define PF_TABLES_MAX_REQUEST   65535 /* Maximum tables per request. */
+
 static int		 pfattach(void);
 static struct pf_pool	*pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
 			    u_int8_t, u_int8_t, u_int8_t);
@@ -2513,13 +2515,15 @@ DIOCCHANGEADDR_error:
 			error = ENODEV;
 			break;
 		}
-		totlen = io->pfrio_size * sizeof(struct pfr_table);
-		pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
-		    M_TEMP, M_WAITOK);
-		if (! pfrts) {
+
+		if (io->pfrio_size < 0 || io->pfrio_size > PF_TABLES_MAX_REQUEST) {
 			error = ENOMEM;
 			break;
 		}
+
+		totlen = io->pfrio_size * sizeof(struct pfr_table);
+		pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
+		    M_TEMP, M_WAITOK);
 		error = copyin(io->pfrio_buffer, pfrts, totlen);
 		if (error) {
 			free(pfrts, M_TEMP);
@@ -2542,13 +2546,15 @@ DIOCCHANGEADDR_error:
 			error = ENODEV;
 			break;
 		}
-		totlen = io->pfrio_size * sizeof(struct pfr_table);
-		pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
-		    M_TEMP, M_WAITOK);
-		if (! pfrts) {
+
+		if (io->pfrio_size < 0 || io->pfrio_size > PF_TABLES_MAX_REQUEST) {
 			error = ENOMEM;
 			break;
 		}
+
+		totlen = io->pfrio_size * sizeof(struct pfr_table);
+		pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table),
+		    M_TEMP, M_WAITOK);
 		error = copyin(io->pfrio_buffer, pfrts, totlen);
 		if (error) {
 			free(pfrts, M_TEMP);