From nobody Tue Jul 15 10:07:53 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bhFHZ2DmKz62DbL;
	Tue, 15 Jul 2025 10:07:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bhFHY1rCxz3fRB;
	Tue, 15 Jul 2025 10:07:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1752574073;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/Mp56smJcdurjzxXrqL7rAkpIe46g4HfV9g2MAZruHA=;
	b=gzHFnQpODqOlmdYJoOqmwQWH4FVCYeXAsXkcBd5O2Xv8HDWofbNqqJEInwlrYltkPOSPIO
	hORDKkbCYFLyigA04gOhMfNu+WYB6bI3P6juG9ok1hbAWo7zmCrNgIaDqAHpQbqU2HcI2h
	PtJe/XCNd+zoWl/WdT2Ho/ncMpCZBGwg1E32Vx76+Pf2HzGDYdcCYHu0WiV6tGPsT/EPuX
	1n8TPd8M7DEwodHO3G7itdVylAC1jJxyuNOKsps+8mds7efZgPhUAhuHsEfh083Hd+3NZr
	FxRA0KaSsSN34IYt3h/UqD6cpemTtIy9+SvzrdVx7I09O7FjwfnsOhf3eaeePQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1752574073;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/Mp56smJcdurjzxXrqL7rAkpIe46g4HfV9g2MAZruHA=;
	b=BuS6B4jJ3D8ocHaIOdgTMOXv3pNHs7IoLMCh0FcfLiBVfvY7eiXFNnYF0WC0KGvTlpPpAT
	bLQjG5VSlZCBDkxS5pmPRB6hRzhz07ySmgzfeI9/83ed6T35qTWb+hlq45Wg3Up6jJqIfS
	m0AVcvq9zvrIT6vWKsUzmr3pA+LJp97I4fSeuB/ssEotaT0goddzf+Q0Y0ZNKsfIAJfhv7
	nRmyHysnlVieDzkHggJ0QVZXK8yC4oRc8bu8rsO85knihnNnOHzMGMuCAWZPPyYs1tzude
	+pvpODJ7lRHtPVQ4yQ8pqoHvexIKC9iIw6ezVHo5Me4cTQhxU2oK67qKlfq5xw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752574073; a=rsa-sha256; cv=none;
	b=sdHfApc6xrfoCCv8Jpn8qAy0t9xGJeyOvg0NJeIRQf0q6tXGZymla/ZdKxCtSDfCGldwD1
	4Iifzte8BB4I+NdOTmaPYcvgetP25VW+egjKtnKa58aOyJYD4LdwmXD8s+CON2oodTtt3m
	BaoLZ19GIEuPhbphevVVo5oQCDtWvzue51sPxh8/qQi6R4xEMhqjLNSxyEUA4YistfOu+j
	tQL1PMgJWaR4YRSw4h8MaANHfDghtRrhutiMvuBpOx4S41X4sOhXt3WzX5idvfLloE6wPr
	h9D2lkkUEM1VnR3uoK4kgjWnnXrYlOXDU6/dNu2I80nilExyL5uh41YQCV7TPQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bhFHY0pr8zbbp;
	Tue, 15 Jul 2025 10:07:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56FA7rGZ027882;
	Tue, 15 Jul 2025 10:07:53 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56FA7r3W027879;
	Tue, 15 Jul 2025 10:07:53 GMT
	(envelope-from git)
Date: Tue, 15 Jul 2025 10:07:53 GMT
Message-Id: <202507151007.56FA7r3W027879@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: cc68decda316 - main - pf: Reject rules with invalid
  port ranges
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: cc68decda316558cc53fadfbb39ac51847f363dd
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=cc68decda316558cc53fadfbb39ac51847f363dd

commit cc68decda316558cc53fadfbb39ac51847f363dd
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-07 15:09:58 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-15 07:55:29 +0000

    pf: Reject rules with invalid port ranges
    
    Ranges where the left boundary is bigger than the right one are always bogus
    as they work like `port any' (`port 34<>12' means "all ports") or in way
    that inverts the rule's action (`pass ... port 34:12' means "pass no port at
    all").
    
    Add checks for all ranges and invalidate those that yield no or all ports.
    
    For this to work on redirections, make pfctl(8) pass the range's type,
    otherwise boundary including ranges are not detected as such;  that is to
    say, `struct pf_pool's `port_op' member was unused in the kernel so far.
    
    `rdr-to' rules with invalid ranges could panic the kernel when hit.
    Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com
    
    OK sashan
    
    Obtained from:  OpenBSD, kn <kn@openbsd.org>, 39c2a1337a
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_ioctl.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 016bb1fedef0..3caa0d2e3b11 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2041,6 +2041,19 @@ pf_ioctl_getrules(struct pfioc_rule *pr)
 	return (0);
 }
 
+static int
+pf_validate_range(uint8_t op, uint16_t port[2])
+{
+	uint16_t a = ntohs(port[0]);
+	uint16_t b = ntohs(port[1]);
+
+	if ((op == PF_OP_RRG && a > b) ||  /* 34:12,  i.e. none */
+	    (op == PF_OP_IRG && a >= b) || /* 34><12, i.e. none */
+	    (op == PF_OP_XRG && a > b))	   /* 34<>22, i.e. all */
+		return 1;
+	return 0;
+}
+
 int
 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
     uint32_t pool_ticket, const char *anchor, const char *anchor_call,
@@ -2060,6 +2073,11 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 
 #define	ERROUT(x)	ERROUT_FUNCTION(errout, x)
 
+	if (pf_validate_range(rule->src.port_op, rule->src.port))
+		ERROUT(EINVAL);
+	if (pf_validate_range(rule->dst.port_op, rule->dst.port))
+		ERROUT(EINVAL);
+
 	if (rule->ifname[0])
 		kif = pf_kkif_create(M_WAITOK);
 	if (rule->rcv_ifname[0])