git: 5a135f8b45a1 - releng/15.1 - cap_net: do not allow new limits to drop keys from the old ones

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 20 May 2026 19:38:59 UTC
The branch releng/15.1 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=5a135f8b45a1dc5ce8803c8a2a56e13dedc4bded

commit 5a135f8b45a1dc5ce8803c8a2a56e13dedc4bded
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2026-05-12 08:33:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-20 13:52:39 +0000

    cap_net: do not allow new limits to drop keys from the old ones
    
    If the old limit had family/hosts/sockaddr set, the new limit must
    have them too. Before, a missing key in the new limit was treated as
    "allow any", which let a caller silently extend their limits.
    
    Approved by:    re
    Approved by:    so
    Security:       FreeBSD-SA-26:24.cap_net
    Security:       CVE-2026-45254
    Reported by:    Joshua Rogers of AISLE Research Team
    Reviewed by:    markj
    MFC after:      1 day
    Differential Revision:  https://reviews.freebsd.org/D56991
    
    (cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
    (cherry picked from commit 7eb3fd691d64dd42f9d32e04cb9b5811fd7c8e55)
---
 lib/libcasper/services/cap_net/cap_net.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/lib/libcasper/services/cap_net/cap_net.c b/lib/libcasper/services/cap_net/cap_net.c
index 5887fe3c407e..67eec73cae7e 100644
--- a/lib/libcasper/services/cap_net/cap_net.c
+++ b/lib/libcasper/services/cap_net/cap_net.c
@@ -1122,12 +1122,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout)
 	return (0);
 }
 
+/*
+ * If the old sublimit restricted a subkey, the new one must too;
+ * a missing subkey means "allow any" at request time.
+ */
+static bool
+verify_subkeys_present(const nvlist_t *oldfunclimits,
+    const nvlist_t *newfunclimit)
+{
+	void *cookie;
+	const char *name;
+
+	if (oldfunclimits == NULL)
+		return (true);
+
+	cookie = NULL;
+	while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) {
+		if (!nvlist_exists(newfunclimit, name))
+			return (false);
+	}
+	return (true);
+}
+
 static bool
 verify_only_sa_newlimts(const nvlist_t *oldfunclimits,
     const nvlist_t *newfunclimit)
 {
 	void *cookie;
 
+	if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+		return (false);
+
 	cookie = NULL;
 	while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
 		void *sacookie;
@@ -1200,6 +1225,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits,
 		    LIMIT_NV_ADDR2NAME, NULL);
 	}
 
+	if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+		return (false);
+
 	cookie = NULL;
 	while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
 		if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) {
@@ -1258,6 +1286,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits,
 		    LIMIT_NV_NAME2ADDR, NULL);
 	}
 
+	if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+		return (false);
+
 	cookie = NULL;
 	while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
 		if (strcmp(cnvlist_name(cookie), "hosts") == 0) {