git: d62832e21a0e - main - pf: make length overlow protection more obvious
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 12 Feb 2025 19:39:10 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=d62832e21a0e396470bbe072ad33496e708db582
commit d62832e21a0e396470bbe072ad33496e708db582
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-06 15:43:14 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-12 19:38:38 +0000
pf: make length overlow protection more obvious
Before pulling the TCP options from the mbuf onto the stack, do an
additional length check in pf_modulate_sack() and pf_normalize_mss().
Overflow cannot happen due to the restricted values in the length
calculation. As this is not obvious, be better safe than sorry.
OK henning@
Obtained from: OpenBSD, henning <henning@openbsd.org>, a9e7ebb0d5
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 2 +-
sys/netpfil/pf/pf_norm.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3a56e6855d6f..6fdc0996324b 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3867,7 +3867,7 @@ pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th,
struct sackblk sack;
#define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
- if (hlen < TCPOLEN_SACKLEN ||
+ if (hlen < TCPOLEN_SACKLEN || hlen > MAX_TCPOPTLEN ||
!pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
return 0;
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 7290ede8d393..6546f8684a68 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1945,8 +1945,8 @@ pf_normalize_mss(struct pf_pdesc *pd)
thoff = th->th_off << 2;
cnt = thoff - sizeof(struct tcphdr);
- if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt,
- NULL, NULL, pd->af))
+ if (cnt <= 0 || cnt > MAX_TCPOPTLEN || !pf_pull_hdr(pd->m,
+ pd->off + sizeof(*th), opts, cnt, NULL, NULL, pd->af))
return (0);
for (; cnt > 0; cnt -= optlen, optp += optlen) {