svn commit: r367987 - head/sys/netpfil/pf
Mark Johnston
markj at FreeBSD.org
Tue Nov 24 16:18:48 UTC 2020
Author: markj
Date: Tue Nov 24 16:18:47 2020
New Revision: 367987
URL: https://svnweb.freebsd.org/changeset/base/367987
Log:
pf: Make tag hashing more robust
tagname2tag() hashes the tag name before truncating it to 63 characters.
tag_unref() removes the tag from the name hash by computing the hash
over the truncated name. Ensure that both operations compute the same
hash for a given tag.
The larger issue is a lack of string validation in pf(4) ioctl handlers.
This is intended to be fixed with some future work, but an extra safety
belt in tagname2hashindex() is worthwhile regardless.
Reported by: syzbot+a0988828aafb00de7d68 at syzkaller.appspotmail.com
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D27346
Modified:
head/sys/netpfil/pf/pf_ioctl.c
Modified: head/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- head/sys/netpfil/pf/pf_ioctl.c Tue Nov 24 15:32:25 2020 (r367986)
+++ head/sys/netpfil/pf/pf_ioctl.c Tue Nov 24 16:18:47 2020 (r367987)
@@ -512,8 +512,10 @@ pf_cleanup_tagset(struct pf_tagset *ts)
static uint16_t
tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
{
+ size_t len;
- return (murmur3_32_hash(tagname, strlen(tagname), ts->seed) & ts->mask);
+ len = strnlen(tagname, PF_TAG_NAME_SIZE - 1);
+ return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask);
}
static uint16_t
More information about the svn-src-all
mailing list