From nobody Wed Jul 9 08:59:07 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bcX300yXtz61NQ5; Wed, 09 Jul 2025 08:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bcX2z5K5bz3cWb; Wed, 09 Jul 2025 08:59:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752051547; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JWC8VkEer5V4/KJii3mwfhvlGP3duq/ZvivWBpGVzaQ=; b=SP94KoAj4IgypnBdsh3hHfJzKuvB5S/1UDdOeRzpFM4GxarCzSWIWakb6WadaEeV14VsPj ao8ID/7zOGhhn4JkF3t8pOSGqqfvWZhnnBYHZBSFxVX1/L3yr/fSO+kTK73ZC2NzL6m9XY rZNLCWPEH+OJ8dal/JyIrLCTPMhTSpxwaeMYrrgv4TDjX7vqitUF4UT6+UPN88gf1swbt6 b3omIVzD3wSGM2zHiUFEAkyt5zTXfObKlJVwFVsP6Z2/QF/ULSflKh2NnoCUfYDHwu8Fx3 n1jOhL+vfEFkKdWhto6CqI2+9KLIJ1sOJA5Z0nEYMcOyD1TnGd0w8PB1DFx2Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752051547; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JWC8VkEer5V4/KJii3mwfhvlGP3duq/ZvivWBpGVzaQ=; b=Ce0Qx7dw9non2r5eUkTLPV8mY7cyC+RD/oTTT9GYKsxGnY17m5l3vhADvDh0FDz8MTPRLG iTBO1FD99XhWCW4lxLeE6wWWWl+3mpDAEdtJHpdr2UpGUxb3dm5KLJrkk/rPSIuXDdAmT6 VVHZwITnFscEqd6vwSIu37Cm+NQNBSrnX5G5zDGMzgTDiYjFDs9NChlgKfbwjhfBFHAK6v MlNoEHYXEZ14jYzD9R/o7uFZ6k5ODQTXffjQefZ/U2cP3hfpY7ePD0QJXdMkuziV+8a/W/ m59fryvHa4/l8ydGjNVfnIvwJ+O+o7y5s/y5DlHz4Og5M5i+AMU0Ni+ELLswBg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752051547; a=rsa-sha256; cv=none; b=PBEc7YeONtJUExw7mmlOidmvuK7PK0CL0qZfPMVCxpFFthn5oUw0OOpHBDHNza1jLVKfjP tkc8LnYUvta2KAajccukcTTDRxHbGKrscywQkXtv3VEE8350XXyyfhZCA02sMqtQEuqWkk pwzfnD/DLsLw1b8Ip83liUlicN4dNyv1fWAH6kbLrf2gAXFEebnd81bi1TbZNaS/wADo92 3SJgFzFD1ON6mbcW+J8eJwfm0hY2NVNkWok3K7DKBUGmkAaU8QwfEl/uENCUgIP/CojUOl AnhfR+/nn1lzJHqc9OJBM7jDquIe79rJf0AY9oiI7DqisRWOb8jZ4IGtabFLjQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bcX2z4tm1z1D3; Wed, 09 Jul 2025 08:59:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5698x7Ac044992; Wed, 9 Jul 2025 08:59:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5698x7HA044989; Wed, 9 Jul 2025 08:59:07 GMT (envelope-from git) Date: Wed, 9 Jul 2025 08:59:07 GMT Message-Id: <202507090859.5698x7HA044989@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: e97ce7c66ee0 - main - pf: improve DIOCNATLOOK validation List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e97ce7c66ee0ab0afe58695b6922ff310262d7c5 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e97ce7c66ee0ab0afe58695b6922ff310262d7c5 commit e97ce7c66ee0ab0afe58695b6922ff310262d7c5 Author: Kristof Provost AuthorDate: 2025-07-03 15:23:46 +0000 Commit: Kristof Provost CommitDate: 2025-07-09 08:57:49 +0000 pf: improve DIOCNATLOOK validation Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel entry instead of calling panic() due to unhandled af. Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com from Benjamin Baier Also validate the direction. Obtained from: OpenBSD, bluhm , 4804479228 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_ioctl.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 8a3f311d7d30..737f9ca060c5 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2817,6 +2817,28 @@ pf_ioctl_natlook(struct pfioc_natlook *pnl) (!pnl->dport || !pnl->sport))) return (EINVAL); + switch (pnl->direction) { + case PF_IN: + case PF_OUT: + case PF_INOUT: + break; + default: + return (EINVAL); + } + + switch (pnl->af) { +#ifdef INET + case AF_INET: + break; +#endif /* INET */ +#ifdef INET6 + case AF_INET6: + break; +#endif /* INET6 */ + default: + return (EAFNOSUPPORT); + } + bzero(&key, sizeof(key)); key.af = pnl->af; key.proto = pnl->proto;