Date: Mon, 05 Jan 2026 20:00:29 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: da3bf842791e - stable/15 - ipfilter: Add ipf_check_names_string() Message-ID: <695c185d.810f.2bfb73ed@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=da3bf842791ebac75f2c336c58ca8d1dce14eb09 commit da3bf842791ebac75f2c336c58ca8d1dce14eb09 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-11-18 19:23:06 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-01-05 20:00:00 +0000 ipfilter: Add ipf_check_names_string() ipf_check_names_string will verify userland inputs in names strings (fr.fr_names, in.in_names) for correctness. Original concept of ipf_check_names_string() instead of macros by markj. Reviewed by: markj MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53843 (cherry picked from commit 525c535d5aa87f686dcfee620619827f7c6090db) --- sys/netpfil/ipfilter/netinet/fil.c | 31 +++++++++++++++++++++++++++++++ sys/netpfil/ipfilter/netinet/ip_fil.h | 1 + 2 files changed, 32 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 2fcea433295f..d487cdde20d8 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -9951,3 +9951,34 @@ ipf_inet6_mask_del(int bits, i6addr_t *mask, ipf_v6_masktab_t *mtab) ASSERT(mtab->imt6_max >= 0); } #endif + +/* ------------------------------------------------------------------------ */ +/* Function: ipf_check_names_string */ +/* Returns: int - 0 == success */ +/* - 1 == negative offset */ +/* - 2 == offset exceds namelen */ +/* - 3 == string exceeds the names string */ +/* Parameters: names - pointer to names string */ +/* namelen - total length of names string */ +/* offset - offset into names string */ +/* */ +/* Validate the names string (fr_names for ipfilter, in_names for ipnat). */ +/* ------------------------------------------------------------------------ */ +int +ipf_check_names_string(char *names, int namelen, int offset) +{ + const char *name; + size_t len; + + if (offset == -1) + return (0); + if (offset < 0) + return (1); + if (offset > namelen) + return (2); + name = &names[offset]; + len = strnlen(name, namelen - offset); + if (len == namelen - offset) + return (3); + return (0); +} diff --git a/sys/netpfil/ipfilter/netinet/ip_fil.h b/sys/netpfil/ipfilter/netinet/ip_fil.h index aa3d1de422db..ad6128d9a8e2 100644 --- a/sys/netpfil/ipfilter/netinet/ip_fil.h +++ b/sys/netpfil/ipfilter/netinet/ip_fil.h @@ -1859,5 +1859,6 @@ extern int ipf_ht_node_del(host_track_t *, int, i6addr_t *); extern void ipf_rb_ht_flush(host_track_t *); extern void ipf_rb_ht_freenode(host_node_t *, void *); extern void ipf_rb_ht_init(host_track_t *); +extern int ipf_check_names_string(char *, int, int); #endif /* __IP_FIL_H__ */home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?695c185d.810f.2bfb73ed>