Date: Wed, 24 Feb 2016 23:19:09 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-stable@FreeBSD.org Subject: [Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow Message-ID: <bug-207463-8075-W6rimI9eXp@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207463-8075@https.bugs.freebsd.org/bugzilla/> References: <bug-207463-8075@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207463 Kristof Provost <kp@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org Assignee|freebsd-bugs@FreeBSD.org |kp@freebsd.org --- Comment #1 from Kristof Provost <kp@freebsd.org> --- I think your analysis is correct. The intention of the bcopy() appears to be to copy additional addresses beh= ind the original list (hence the adds + size + i construction). You're correct that the buffer allocated by 'totlen =3D io->pfrio_size * sizeof(struct pfr_addr);' is too small for that. It's possible to panic a box that way. I don't think your fix is sufficient though. If user space provides a small= er pfrio_size2 than pfrio_size (remember that all user space programmers are o= ut to get us!) then we'd still end up running outsize the allocated buffer. I think we need to allocate the largest of pfrio_size and pfrio_size2: https://reviews.freebsd.org/D5426 --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207463-8075-W6rimI9eXp>