Date: Mon, 6 Dec 2021 14:18:41 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 55351c2620c5 - stable/12 - dummynet: Avoid an out-of-bounds read in do_config() Message-ID: <202112061418.1B6EIfOZ095621@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=55351c2620c5c9387cacc47def0f8c0bcec237f0 commit 55351c2620c5c9387cacc47def0f8c0bcec237f0 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-11-29 18:50:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-12-06 14:18:24 +0000 dummynet: Avoid an out-of-bounds read in do_config() do_config() processes a buffer of variable-length dummynet commands. The loop which processes this buffer loads the fixed-length header before checking whether there are any bytes left to read, so it performs a 4-byte read past the end of the buffer before terminating. Restructure the loop to avoid this. Reported by: Jenkins (KASAN job) Reviewed by: kp Sponsored by: The FreeBSD Foundation (cherry picked from commit d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955) --- sys/netpfil/ipfw/ip_dummynet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c index 5a88a803e88d..57dbcb3c9a35 100644 --- a/sys/netpfil/ipfw/ip_dummynet.c +++ b/sys/netpfil/ipfw/ip_dummynet.c @@ -2012,7 +2012,9 @@ do_config(void *p, int l) } arg = NULL; dn = NULL; - for (off = 0; l >= sizeof(o); memcpy(&o, (char *)p + off, sizeof(o))) { + off = 0; + while (l >= sizeof(o)) { + memcpy(&o, (char *)p + off, sizeof(o)); if (o.len < sizeof(o) || l < o.len) { D("bad len o.len %d len %d", o.len, l); err = EINVAL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112061418.1B6EIfOZ095621>