Date: Thu, 03 Mar 2016 07:17:24 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-stable@FreeBSD.org Subject: [Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow Message-ID: <bug-207463-8075-xwng4f6hTy@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207463-8075@https.bugs.freebsd.org/bugzilla/> References: <bug-207463-8075@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207463 --- Comment #5 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Thu Mar 3 07:16:36 UTC 2016 New revision: 296340 URL: https://svnweb.freebsd.org/changeset/base/296340 Log: MFC: r296025: pf: Fix possible out-of-bounds write In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs, which is processed in pfr_set_addrs(). At the users request we also provi= de feedback on the deleted addresses, by storing them after the new list ('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()). This means we write outside the bounds of the buffer we've just allocated. We need to look at pfrio_size2 instead (i.e. the size the user reserved f= or our feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than pfrio_size though, in which case we'd still read outside of the allocated buffer. Instead we allocate the largest of the two values. Reported By: Paul J Murphy <paul@inetstat.net> PR: 207463 Approved by: re (marius) Changes: _U stable/10/ stable/10/sys/netpfil/pf/pf_ioctl.c --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207463-8075-xwng4f6hTy>