From owner-svn-src-head@freebsd.org Tue Aug 8 21:09:27 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68F93DD087D; Tue, 8 Aug 2017 21:09:27 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34C8873E29; Tue, 8 Aug 2017 21:09:27 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v78L9Qn1011323; Tue, 8 Aug 2017 21:09:26 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v78L9Q45011322; Tue, 8 Aug 2017 21:09:26 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201708082109.v78L9Q45011322@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Tue, 8 Aug 2017 21:09:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r322280 - head/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/sys/netpfil/pf X-SVN-Commit-Revision: 322280 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2017 21:09:27 -0000 Author: kp Date: Tue Aug 8 21:09:26 2017 New Revision: 322280 URL: https://svnweb.freebsd.org/changeset/base/322280 Log: pf_get_sport(): Prevent possible endless loop when searching for an unused nat port This is an import of Alexander Bluhm's OpenBSD commit r1.60, the first chunk had to be modified because on OpenBSD the 'cut' declaration is located elsewhere. Upstream report by Jingmin Zhou: https://marc.info/?l=openbsd-pf&m=150020133510896&w=2 OpenBSD commit message: Use a 32 bit variable to detect integer overflow when searching for an unused nat port. Prevents a possible endless loop if high port is 65535 or low port is 0. report and analysis Jingmin Zhou; OK sashan@ visa@ Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c PR: 221201 Submitted by: Fabian Keil Obtained from: OpenBSD via ElectroBSD MFC after: 1 week Modified: head/sys/netpfil/pf/pf_lb.c Modified: head/sys/netpfil/pf/pf_lb.c ============================================================================== --- head/sys/netpfil/pf/pf_lb.c Tue Aug 8 21:01:11 2017 (r322279) +++ head/sys/netpfil/pf/pf_lb.c Tue Aug 8 21:09:26 2017 (r322280) @@ -259,7 +259,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf return (0); } } else { - uint16_t tmp, cut; + uint32_t tmp; + uint16_t cut; if (low > high) { tmp = low; @@ -269,7 +270,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf /* low < high */ cut = arc4random() % (1 + high - low) + low; /* low <= cut <= high */ - for (tmp = cut; tmp <= high; ++(tmp)) { + for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) { key.port[1] = htons(tmp); if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { @@ -277,7 +278,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf return (0); } } - for (tmp = cut - 1; tmp >= low; --(tmp)) { + tmp = cut; + for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) { key.port[1] = htons(tmp); if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {