svn commit: r314715 - head/sys/netpfil/ipfw
Andrey V. Elsukov
ae at FreeBSD.org
Sun Mar 5 22:19:44 UTC 2017
Author: ae
Date: Sun Mar 5 22:19:43 2017
New Revision: 314715
URL: https://svnweb.freebsd.org/changeset/base/314715
Log:
Reject invalid object types that can not be used with specific opcodes.
When we doing reference counting of named objects in the new rule,
for existing objects check that opcode references to correct object,
otherwise return EINVAL.
PR: 217391
MFC after: 1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw_sockopt.c
Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_sockopt.c Sun Mar 5 21:56:04 2017 (r314714)
+++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Sun Mar 5 22:19:43 2017 (r314715)
@@ -2669,7 +2669,14 @@ ref_opcode_object(struct ip_fw_chain *ch
return (0);
}
- /* Found. Bump refcount and update kidx. */
+ /*
+ * Object is already exist.
+ * Its subtype should match with expected value.
+ */
+ if (ti->type != no->subtype)
+ return (EINVAL);
+
+ /* Bump refcount and update kidx. */
no->refcnt++;
rw->update(cmd, no->kidx);
return (0);
More information about the svn-src-all
mailing list