Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Feb 2021 13:06:12 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: f8d1f2da0922 - stable/12 - pf: Slightly relax pf_rule_addr validation
Message-ID:  <202102171306.11HD6CRY064883@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=f8d1f2da0922fdff846b13baa7315652b43aa95c

commit f8d1f2da0922fdff846b13baa7315652b43aa95c
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-02-17 09:11:19 +0000

    pf: Slightly relax pf_rule_addr validation
    
    Ensure we don't reject no-route / urpf-failed addresses.
    
    PR:             253479
    Reported by:    michal AT microwave.sk
    Revied by:      donner@
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D28650
    
    (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
---
 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index bbb9cfe39586..edf147699235 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1558,9 +1558,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
 	rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
 }
 
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+	switch (addr->addr.type) {
+	case PF_ADDR_ADDRMASK:
+	case PF_ADDR_NOROUTE:
+	case PF_ADDR_DYNIFTL:
+	case PF_ADDR_TABLE:
+	case PF_ADDR_URPFFAILED:
+	case PF_ADDR_RANGE:
+		break;
+	default:
+		return (EINVAL);
+	}
+
+	if (addr->addr.p.dyn != NULL) {
+		return (EINVAL);
+	}
+
+	return (0);
+}
+
 static int
 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
 {
+	int ret;
 
 #ifndef INET
 	if (rule->af == AF_INET) {
@@ -1573,23 +1597,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
 	}
 #endif /* INET6 */
 
-	if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
-	    rule->src.addr.type != PF_ADDR_DYNIFTL &&
-	    rule->src.addr.type != PF_ADDR_TABLE) {
-		return (EINVAL);
-	}
-	if (rule->src.addr.p.dyn != NULL) {
-		return (EINVAL);
-	}
-
-	if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
-	    rule->dst.addr.type != PF_ADDR_DYNIFTL &&
-	    rule->dst.addr.type != PF_ADDR_TABLE) {
-		return (EINVAL);
-	}
-	if (rule->dst.addr.p.dyn != NULL) {
-		return (EINVAL);
-	}
+	ret = pf_check_rule_addr(&rule->src);
+	if (ret != 0)
+		return (ret);
+	ret = pf_check_rule_addr(&rule->dst);
+	if (ret != 0)
+		return (ret);
 
 	bzero(krule, sizeof(*krule));
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102171306.11HD6CRY064883>