git: e97ce7c66ee0 - main - pf: improve DIOCNATLOOK validation
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 09 Jul 2025 08:59:07 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=e97ce7c66ee0ab0afe58695b6922ff310262d7c5
commit e97ce7c66ee0ab0afe58695b6922ff310262d7c5
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-03 15:23:46 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-09 08:57:49 +0000
pf: improve DIOCNATLOOK validation
Check address family of pf ioctl(2) DIOCNATLOOK parameter at kernel
entry instead of calling panic() due to unhandled af.
Reported-by: syzbot+92be143c2dd1746cf2af@syzkaller.appspotmail.com
from Benjamin Baier
Also validate the direction.
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 4804479228
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf_ioctl.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 8a3f311d7d30..737f9ca060c5 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2817,6 +2817,28 @@ pf_ioctl_natlook(struct pfioc_natlook *pnl)
(!pnl->dport || !pnl->sport)))
return (EINVAL);
+ switch (pnl->direction) {
+ case PF_IN:
+ case PF_OUT:
+ case PF_INOUT:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ switch (pnl->af) {
+#ifdef INET
+ case AF_INET:
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ break;
+#endif /* INET6 */
+ default:
+ return (EAFNOSUPPORT);
+ }
+
bzero(&key, sizeof(key));
key.af = pnl->af;
key.proto = pnl->proto;