git: d481c3db42dc - stable/14 - pf: improve DIOCRCLRTABLES validation

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 03 Nov 2025 08:39:04 UTC
The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d481c3db42dc59bbe679ecc5aead161a8739466b

commit d481c3db42dc59bbe679ecc5aead161a8739466b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-10-29 08:28:59 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-11-02 14:06:45 +0000

    pf: improve DIOCRCLRTABLES validation
    
    Unterminated strings in the anchor or name could cause crashes.
    Validate them, and add a test case.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 1da3c0ca5b1decaa9cf55859cd134bdcd1218116)
---
 sys/netpfil/pf/pf_ioctl.c               | 11 +++++++++++
 tests/sys/netpfil/pf/ioctl/validation.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index d95f36d06ee3..cf53ea638095 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -4645,6 +4645,17 @@ DIOCCHANGEADDR_error:
 			error = ENODEV;
 			break;
 		}
+		if (strnlen(io->pfrio_table.pfrt_anchor, MAXPATHLEN)
+		    == MAXPATHLEN) {
+			error = EINVAL;
+			goto fail;
+		}
+		if (strnlen(io->pfrio_table.pfrt_name, PF_TABLE_NAME_SIZE)
+		    == PF_TABLE_NAME_SIZE) {
+			error = EINVAL;
+			goto fail;
+		}
+
 		PF_RULES_WLOCK();
 		error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
 		    io->pfrio_flags | PFR_FLAG_USERIOCTL);
diff --git a/tests/sys/netpfil/pf/ioctl/validation.c b/tests/sys/netpfil/pf/ioctl/validation.c
index b18e30e5e6af..651e6837acd7 100644
--- a/tests/sys/netpfil/pf/ioctl/validation.c
+++ b/tests/sys/netpfil/pf/ioctl/validation.c
@@ -193,6 +193,38 @@ ATF_TC_CLEANUP(gettables, tc)
 	COMMON_CLEANUP();
 }
 
+ATF_TC_WITH_CLEANUP(clrtables);
+ATF_TC_HEAD(clrtables, tc)
+{
+	atf_tc_set_md_var(tc, "require.user", "root");
+	atf_tc_set_md_var(tc, "require.kmods", "pf");
+}
+
+ATF_TC_BODY(clrtables, tc)
+{
+	struct pfioc_table io;
+	struct pfr_table tbl;
+	int flags;
+
+	COMMON_HEAD();
+
+	flags = 0;
+
+	memset(&io, '/', sizeof(io));
+	io.pfrio_flags = flags;
+	io.pfrio_buffer = &tbl;
+	io.pfrio_esize = 0;
+	io.pfrio_size = 1;
+
+	if (ioctl(dev, DIOCRCLRTABLES, &io) == 0)
+		atf_tc_fail("Request with unterminated anchor name succeeded");
+}
+
+ATF_TC_CLEANUP(clrtables, tc)
+{
+	COMMON_CLEANUP();
+}
+
 ATF_TC_WITH_CLEANUP(gettstats);
 ATF_TC_HEAD(gettstats, tc)
 {
@@ -924,6 +956,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, addtables);
 	ATF_TP_ADD_TC(tp, deltables);
 	ATF_TP_ADD_TC(tp, gettables);
+	ATF_TP_ADD_TC(tp, clrtables);
 	ATF_TP_ADD_TC(tp, getastats);
 	ATF_TP_ADD_TC(tp, gettstats);
 	ATF_TP_ADD_TC(tp, clrtstats);