[Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Feb 25 07:34:17 UTC 2016


--- Comment #3 from commit-hook at freebsd.org ---
A commit references this bug:

Author: kp
Date: Thu Feb 25 07:33:59 UTC 2016
New revision: 296025
URL: https://svnweb.freebsd.org/changeset/base/296025

  pf: Fix possible out-of-bounds write

  In the DIOCRSETADDRS ioctl() handler we allocate a table for struct
  which is processed in pfr_set_addrs(). At the users request we also provide
  feedback on the deleted addresses, by storing them after the new list
  ('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).

  This means we write outside the bounds of the buffer we've just allocated.
  We need to look at pfrio_size2 instead (i.e. the size the user reserved for
  feedback). That'd allow a malicious user to specify a smaller pfrio_size2
  pfrio_size though, in which case we'd still read outside of the allocated
  buffer. Instead we allocate the largest of the two values.

  Reported By:  Paul J Murphy <paul at inetstat.net>
  PR:           207463
  MFC after:    5 days
  Differential Revision:        https://reviews.freebsd.org/D5426


You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-stable mailing list