svn commit: r302117 - head/sys/netpfil/pf

[Bjoern A. Zeeb]

Author: bz
Date: Thu Jun 23 05:41:46 2016
New Revision: 302117
URL: https://svnweb.freebsd.org/changeset/base/302117

Log:
  Import a fix for and old security issue (CVE-2010-3830) in pf which
  was not relevant to FreeBSD as only root could open /dev/pf by default.
  With VIMAGE this is will longer be the case.  As pf(4) starts to
  be supported with VNETs 3rd party users may open /dev/pf inside the
  virtual jail instance; thus we need to address this issue after all.
  While OpenBSD largely rewrote code parts for the fix [1], and it's
  unclear what Apple [3] did, import the minimal fix from NetBSD [2].
  
  [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_ioctl.c.diff?r1=1.235&r2=1.236
  [2] http://mail-index.netbsd.org/source-changes/2011/01/19/msg017518.html
  [3] https://support.apple.com/en-gb/HT202154
  
  Obtained from:		http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/pf_ioctl.c.diff?r1=1.42&r2=1.43&only_with_tag=MAIN
  MFC After:		2 weeks
  Approved by:		re (gjb)
  Sponsored by:		The FreeBSD Foundation
  Security:		CVE-2010-3830

Modified:
  head/sys/netpfil/pf/pf_ioctl.c

Modified: head/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- head/sys/netpfil/pf/pf_ioctl.c	Thu Jun 23 05:35:08 2016	(r302116)
+++ head/sys/netpfil/pf/pf_ioctl.c	Thu Jun 23 05:41:46 2016	(r302117)
@@ -1254,6 +1254,7 @@ pfioctl(struct cdev *dev, u_long cmd, ca
 					error = ENOMEM;
 			}
 
+		rule->overload_tbl = NULL;
 		if (rule->overload_tblname[0]) {
 			if ((rule->overload_tbl = pfr_attach_table(ruleset,
 			    rule->overload_tblname)) == NULL)
@@ -1511,6 +1512,7 @@ DIOCADDRULE_error:
 						error = ENOMEM;
 				}
 
+			newrule->overload_tbl = NULL;
 			if (newrule->overload_tblname[0]) {
 				if ((newrule->overload_tbl = pfr_attach_table(
 				    ruleset, newrule->overload_tblname)) ==