[Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Mar 3 07:17:25 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207463
--- Comment #5 from commit-hook at freebsd.org ---
A commit references this bug:
Author: kp
Date: Thu Mar 3 07:16:36 UTC 2016
New revision: 296340
URL: https://svnweb.freebsd.org/changeset/base/296340
Log:
MFC: r296025:
pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct
pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).
This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for
our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2
than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.
Reported By: Paul J Murphy <paul at inetstat.net>
PR: 207463
Approved by: re (marius)
Changes:
_U stable/10/
stable/10/sys/netpfil/pf/pf_ioctl.c
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-stable
mailing list