Date: Tue, 24 Nov 2020 16:18:48 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r367987 - head/sys/netpfil/pf Message-ID: <202011241618.0AOGImKX060857@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Tue Nov 24 16:18:47 2020 New Revision: 367987 URL: https://svnweb.freebsd.org/changeset/base/367987 Log: pf: Make tag hashing more robust tagname2tag() hashes the tag name before truncating it to 63 characters. tag_unref() removes the tag from the name hash by computing the hash over the truncated name. Ensure that both operations compute the same hash for a given tag. The larger issue is a lack of string validation in pf(4) ioctl handlers. This is intended to be fixed with some future work, but an extra safety belt in tagname2hashindex() is worthwhile regardless. Reported by: syzbot+a0988828aafb00de7d68@syzkaller.appspotmail.com Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27346 Modified: head/sys/netpfil/pf/pf_ioctl.c Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Tue Nov 24 15:32:25 2020 (r367986) +++ head/sys/netpfil/pf/pf_ioctl.c Tue Nov 24 16:18:47 2020 (r367987) @@ -512,8 +512,10 @@ pf_cleanup_tagset(struct pf_tagset *ts) static uint16_t tagname2hashindex(const struct pf_tagset *ts, const char *tagname) { + size_t len; - return (murmur3_32_hash(tagname, strlen(tagname), ts->seed) & ts->mask); + len = strnlen(tagname, PF_TAG_NAME_SIZE - 1); + return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask); } static uint16_t
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011241618.0AOGImKX060857>