Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 03 Mar 2016 07:17:24 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-stable@FreeBSD.org
Subject:   [Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow
Message-ID:  <bug-207463-8075-xwng4f6hTy@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-207463-8075@https.bugs.freebsd.org/bugzilla/>
References:  <bug-207463-8075@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207463

--- Comment #5 from commit-hook@freebsd.org ---
A commit references this bug:

Author: kp
Date: Thu Mar  3 07:16:36 UTC 2016
New revision: 296340
URL: https://svnweb.freebsd.org/changeset/base/296340

Log:
  MFC: r296025:

  pf: Fix possible out-of-bounds write

  In the DIOCRSETADDRS ioctl() handler we allocate a table for struct
pfr_addrs,
  which is processed in pfr_set_addrs(). At the users request we also provi=
de
  feedback on the deleted addresses, by storing them after the new list
  ('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).

  This means we write outside the bounds of the buffer we've just allocated.
  We need to look at pfrio_size2 instead (i.e. the size the user reserved f=
or
our
  feedback). That'd allow a malicious user to specify a smaller pfrio_size2
than
  pfrio_size though, in which case we'd still read outside of the allocated
  buffer. Instead we allocate the largest of the two values.

  Reported By:        Paul J Murphy <paul@inetstat.net>
  PR:         207463
  Approved by:  re (marius)

Changes:
_U  stable/10/
  stable/10/sys/netpfil/pf/pf_ioctl.c

--=20
You are receiving this mail because:
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207463-8075-xwng4f6hTy>