Date: Thu, 6 Nov 2025 23:11:54 GMT From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 1e5405d6b50b - releng/15.0 - pf: improve DIOCRCLRTABLES validation Message-ID: <202511062311.5A6NBsFg010479@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=1e5405d6b50b527be94e4c179c40f2a866865cbc commit 1e5405d6b50b527be94e4c179c40f2a866865cbc Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-10-29 08:28:59 +0000 Commit: Colin Percival <cperciva@FreeBSD.org> CommitDate: 2025-11-06 23:11:05 +0000 pf: improve DIOCRCLRTABLES validation Unterminated strings in the anchor or name could cause crashes. Validate them, and add a test case. Approved by: re (cperciva) Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 1da3c0ca5b1decaa9cf55859cd134bdcd1218116) (cherry picked from commit 909528f8a13004e15c08c4793a6a349716f90447) --- sys/netpfil/pf/pf_ioctl.c | 11 +++++++++++ tests/sys/netpfil/pf/ioctl/validation.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index d7bb62977afb..856bbd6cb9cb 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -4788,6 +4788,17 @@ DIOCCHANGEADDR_error: error = ENODEV; goto fail; } + if (strnlen(io->pfrio_table.pfrt_anchor, MAXPATHLEN) + == MAXPATHLEN) { + error = EINVAL; + goto fail; + } + if (strnlen(io->pfrio_table.pfrt_name, PF_TABLE_NAME_SIZE) + == PF_TABLE_NAME_SIZE) { + error = EINVAL; + goto fail; + } + PF_RULES_WLOCK(); error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL); diff --git a/tests/sys/netpfil/pf/ioctl/validation.c b/tests/sys/netpfil/pf/ioctl/validation.c index ff3f1bbcdadc..7a1d2b3800cd 100644 --- a/tests/sys/netpfil/pf/ioctl/validation.c +++ b/tests/sys/netpfil/pf/ioctl/validation.c @@ -193,6 +193,38 @@ ATF_TC_CLEANUP(gettables, tc) COMMON_CLEANUP(); } +ATF_TC_WITH_CLEANUP(clrtables); +ATF_TC_HEAD(clrtables, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "require.kmods", "pf"); +} + +ATF_TC_BODY(clrtables, tc) +{ + struct pfioc_table io; + struct pfr_table tbl; + int flags; + + COMMON_HEAD(); + + flags = 0; + + memset(&io, '/', sizeof(io)); + io.pfrio_flags = flags; + io.pfrio_buffer = &tbl; + io.pfrio_esize = 0; + io.pfrio_size = 1; + + if (ioctl(dev, DIOCRCLRTABLES, &io) == 0) + atf_tc_fail("Request with unterminated anchor name succeeded"); +} + +ATF_TC_CLEANUP(clrtables, tc) +{ + COMMON_CLEANUP(); +} + ATF_TC_WITH_CLEANUP(gettstats); ATF_TC_HEAD(gettstats, tc) { @@ -957,6 +989,7 @@ ATF_TP_ADD_TCS(tp) ATF_TP_ADD_TC(tp, addtables); ATF_TP_ADD_TC(tp, deltables); ATF_TP_ADD_TC(tp, gettables); + ATF_TP_ADD_TC(tp, clrtables); ATF_TP_ADD_TC(tp, getastats); ATF_TP_ADD_TC(tp, gettstats); ATF_TP_ADD_TC(tp, clrtstats);help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511062311.5A6NBsFg010479>