Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 6 Nov 2025 23:11:53 GMT
From:      Colin Percival <cperciva@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 05c3c8c0aba3 - releng/15.0 - pf: improve add state validation
Message-ID:  <202511062311.5A6NBrXJ010434@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=05c3c8c0aba39362d88b76ea22ae80328bca9c13

commit 05c3c8c0aba39362d88b76ea22ae80328bca9c13
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-10-29 10:40:52 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-06 23:11:02 +0000

    pf: improve add state validation
    
    Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
    Add a test case to exercise this code path.
    
    Approved by:    re (cperciva)
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit faacc0d968816cf8714c974b6d8df6191cfb0e0d)
    (cherry picked from commit 4891e6f1c0ee9d81ca36b9d74d8ef4ef20690621)
---
 sys/netpfil/pf/if_pfsync.c              |  3 +++
 tests/sys/netpfil/pf/ioctl/validation.c | 25 +++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 66bc99df2afa..de69ecbb0985 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -546,6 +546,9 @@ pfsync_state_import(union pfsync_state_union *sp, int flags, int msg_version)
 
 	PF_RULES_RASSERT();
 
+	if (strnlen(sp->pfs_1301.ifname, IFNAMSIZ) == IFNAMSIZ)
+		return (EINVAL);
+
 	if (sp->pfs_1301.creatorid == 0) {
 		if (V_pf_status.debug >= PF_DEBUG_MISC)
 			printf("%s: invalid creator id: %08x\n", __func__,
diff --git a/tests/sys/netpfil/pf/ioctl/validation.c b/tests/sys/netpfil/pf/ioctl/validation.c
index 18fafe11c6ab..ff3f1bbcdadc 100644
--- a/tests/sys/netpfil/pf/ioctl/validation.c
+++ b/tests/sys/netpfil/pf/ioctl/validation.c
@@ -928,6 +928,30 @@ ATF_TC_CLEANUP(natlook, tc)
 	COMMON_CLEANUP();
 }
 
+ATF_TC_WITH_CLEANUP(addstate);
+ATF_TC_HEAD(addstate, tc)
+{
+	atf_tc_set_md_var(tc, "require.user", "root");
+	atf_tc_set_md_var(tc, "require.kmods", "pfsync");
+}
+
+ATF_TC_BODY(addstate, tc)
+{
+	struct pfioc_state st;
+
+	COMMON_HEAD();
+
+	memset(&st, 'a', sizeof(st));
+	st.state.timeout = PFTM_TCP_FIRST_PACKET;
+
+	ATF_CHECK_ERRNO(EINVAL, ioctl(dev, DIOCADDSTATE, &st) == -1);
+}
+
+ATF_TC_CLEANUP(addstate, tc)
+{
+	COMMON_CLEANUP();
+}
+
 ATF_TP_ADD_TCS(tp)
 {
 	ATF_TP_ADD_TC(tp, addtables);
@@ -953,6 +977,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, rpool_mtx);
 	ATF_TP_ADD_TC(tp, rpool_mtx2);
 	ATF_TP_ADD_TC(tp, natlook);
+	ATF_TP_ADD_TC(tp, addstate);
 
 	return (atf_no_error());
 }
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511062311.5A6NBrXJ010434>