Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 May 2026 09:33:50 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 295218] problem with pf_nl.c's nested_table_parser
Message-ID:  <bug-295218-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295218

            Bug ID: 295218
           Summary: problem with pf_nl.c's nested_table_parser
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

User code can cause the kernel pf netlink code to write beyond the
bounds of stack-allocated objects due to the way that pf_nl.c's
nested_table_parser is used. nested_table_parser is willing to let
user-supplied netlink commands cause writes to
pfioc_table.pfrio_flags:

#define _OUT(_field)    offsetof(struct pfioc_table, _field)
static const struct nlattr_parser nla_p_table[] = {
  ...,
  { .type = PF_T_FLAGS, .off = _OUT(pfrio_flags), .cb = nlattr_get_uint32 },
};
...
NL_DECLARE_ATTR_PARSER(nested_table_parser, nla_p_table);

But then nested_table_parser is used in contexts where the target
is not a pfioc_table, for example in table_astats_parser:

#define _OUT(_field)    offsetof(struct nl_parsed_table_astats, _field)
static const struct nlattr_parser nla_p_table_astats[] = {
  { .type = PF_TAS_TABLE, .off = _OUT(table), .arg = &nested_table_parser, .cb
= nlattr_get_nested },
};
NL_DECLARE_PARSER(table_astats_parser, struct genlmsghdr, nlf_p_empty,
nla_p_table_astats);

In this example, pf_handle_table_get_astats() parses into a
struct nl_parsed_table_astats. This struct has size 1068,
but the nested_table_parser is willing to write "pfrio_flags"
at offset 1096. This writes somewhere bad on the stack.

One possible fix is that nla_p_table should be used only in
table_parser, and not also in nested_table_parser; instead, a separate
nlattr_parser should be declared for nested_table_parser, omitting the
PF_T_FLAGS.

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-295218-227>