git: d5ea04ee7ba6 - main - dummynet: Avoid an out-of-bounds read in do_config()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 29 Nov 2021 18:57:52 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955

commit d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-11-29 18:50:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-11-29 18:57:24 +0000

    dummynet: Avoid an out-of-bounds read in do_config()
    
    do_config() processes a buffer of variable-length dummynet commands.
    The loop which processes this buffer loads the fixed-length header
    before checking whether there are any bytes left to read, so it performs
    a 4-byte read past the end of the buffer before terminating.
    
    Restructure the loop to avoid this.
    
    Reported by:    Jenkins (KASAN job)
    Reviewed by:    kp
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D33132
---
 sys/netpfil/ipfw/ip_dummynet.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c
index a890507f7b31..919445ff71d0 100644
--- a/sys/netpfil/ipfw/ip_dummynet.c
+++ b/sys/netpfil/ipfw/ip_dummynet.c
@@ -2011,7 +2011,9 @@ do_config(void *p, int l)
 	}
 	arg = NULL;
 	dn = NULL;
-	for (off = 0; l >= sizeof(o); memcpy(&o, (char *)p + off, sizeof(o))) {
+	off = 0;
+	while (l >= sizeof(o)) {
+		memcpy(&o, (char *)p + off, sizeof(o));
 		if (o.len < sizeof(o) || l < o.len) {
 			D("bad len o.len %d len %d", o.len, l);
 			err = EINVAL;