git: 05c3c8c0aba3 - releng/15.0 - pf: improve add state validation
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 06 Nov 2025 23:11:53 UTC
The branch releng/15.0 has been updated by cperciva:
URL: https://cgit.FreeBSD.org/src/commit/?id=05c3c8c0aba39362d88b76ea22ae80328bca9c13
commit 05c3c8c0aba39362d88b76ea22ae80328bca9c13
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-10-29 10:40:52 +0000
Commit: Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-06 23:11:02 +0000
pf: improve add state validation
Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
Add a test case to exercise this code path.
Approved by: re (cperciva)
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit faacc0d968816cf8714c974b6d8df6191cfb0e0d)
(cherry picked from commit 4891e6f1c0ee9d81ca36b9d74d8ef4ef20690621)
---
sys/netpfil/pf/if_pfsync.c | 3 +++
tests/sys/netpfil/pf/ioctl/validation.c | 25 +++++++++++++++++++++++++
2 files changed, 28 insertions(+)
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 66bc99df2afa..de69ecbb0985 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -546,6 +546,9 @@ pfsync_state_import(union pfsync_state_union *sp, int flags, int msg_version)
PF_RULES_RASSERT();
+ if (strnlen(sp->pfs_1301.ifname, IFNAMSIZ) == IFNAMSIZ)
+ return (EINVAL);
+
if (sp->pfs_1301.creatorid == 0) {
if (V_pf_status.debug >= PF_DEBUG_MISC)
printf("%s: invalid creator id: %08x\n", __func__,
diff --git a/tests/sys/netpfil/pf/ioctl/validation.c b/tests/sys/netpfil/pf/ioctl/validation.c
index 18fafe11c6ab..ff3f1bbcdadc 100644
--- a/tests/sys/netpfil/pf/ioctl/validation.c
+++ b/tests/sys/netpfil/pf/ioctl/validation.c
@@ -928,6 +928,30 @@ ATF_TC_CLEANUP(natlook, tc)
COMMON_CLEANUP();
}
+ATF_TC_WITH_CLEANUP(addstate);
+ATF_TC_HEAD(addstate, tc)
+{
+ atf_tc_set_md_var(tc, "require.user", "root");
+ atf_tc_set_md_var(tc, "require.kmods", "pfsync");
+}
+
+ATF_TC_BODY(addstate, tc)
+{
+ struct pfioc_state st;
+
+ COMMON_HEAD();
+
+ memset(&st, 'a', sizeof(st));
+ st.state.timeout = PFTM_TCP_FIRST_PACKET;
+
+ ATF_CHECK_ERRNO(EINVAL, ioctl(dev, DIOCADDSTATE, &st) == -1);
+}
+
+ATF_TC_CLEANUP(addstate, tc)
+{
+ COMMON_CLEANUP();
+}
+
ATF_TP_ADD_TCS(tp)
{
ATF_TP_ADD_TC(tp, addtables);
@@ -953,6 +977,7 @@ ATF_TP_ADD_TCS(tp)
ATF_TP_ADD_TC(tp, rpool_mtx);
ATF_TP_ADD_TC(tp, rpool_mtx2);
ATF_TP_ADD_TC(tp, natlook);
+ ATF_TP_ADD_TC(tp, addstate);
return (atf_no_error());
}