git: dc3ee89c86d3 - main - pfctl: fix possible out-of-bounds read
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 06 Jun 2024 13:46:07 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=dc3ee89c86d30cc7a14dce9550bbd4d37c7ff182
commit dc3ee89c86d30cc7a14dce9550bbd4d37c7ff182
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-06-05 21:55:37 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-06-06 13:45:31 +0000
pfctl: fix possible out-of-bounds read
Tags in $10 (filter_opts) are not guaranteed to be the maximum possible
tag length, so memcpy() can end up reading outside of the allocated
buffer.
Use strlcpy() instead.
Reported by: CheriBSD
Event: Kitchener-Waterloo Hackathon 202406
---
sbin/pfctl/parse.y | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 92e6e36f3b23..19e029c881d1 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1230,7 +1230,7 @@ etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fro
r.direction = $3;
r.quick = $4.quick;
if ($10.tag != NULL)
- memcpy(&r.tagname, $10.tag, sizeof(r.tagname));
+ strlcpy(r.tagname, $10.tag, sizeof(r.tagname));
if ($10.match_tag)
if (strlcpy(r.match_tagname, $10.match_tag,
PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
@@ -1240,7 +1240,7 @@ etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fro
}
r.match_tag_not = $10.match_tag_not;
if ($10.queues.qname != NULL)
- memcpy(&r.qname, $10.queues.qname, sizeof(r.qname));
+ strlcpy(r.qname, $10.queues.qname, sizeof(r.qname));
r.dnpipe = $10.dnpipe;
r.dnflags = $10.free_flags;
if (eth_rule_label(&r, $10.label))