svn commit: r322591 - stable/11/sys/netpfil/pf

Kristof Provost kp at FreeBSD.org
Wed Aug 16 19:52:33 UTC 2017 

Author: kp
Date: Wed Aug 16 19:52:31 2017
New Revision: 322591
URL: https://svnweb.freebsd.org/changeset/base/322591

Log:
  MFC r322280:
  pf_get_sport(): Prevent possible endless loop when searching for an unused nat port
  
  This is an import of Alexander Bluhm's OpenBSD commit r1.60,
  the first chunk had to be modified because on OpenBSD the
  'cut' declaration is located elsewhere.
  
  Upstream report by Jingmin Zhou:
  https://marc.info/?l=openbsd-pf&m=150020133510896&w=2
  
  OpenBSD commit message:
   Use a 32 bit variable to detect integer overflow when searching for
   an unused nat port.  Prevents a possible endless loop if high port
   is 65535 or low port is 0.
   report and analysis Jingmin Zhou; OK sashan@ visa@
  Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c
  
  PR:		221201
  Submitted by:	Fabian Keil <fk at fabiankeil.de>
  Obtained from:	OpenBSD via ElectroBSD

Modified:
  stable/11/sys/netpfil/pf/pf_lb.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netpfil/pf/pf_lb.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf_lb.c	Wed Aug 16 19:40:07 2017	(r322590)
+++ stable/11/sys/netpfil/pf/pf_lb.c	Wed Aug 16 19:52:31 2017	(r322591)
@@ -259,7 +259,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf
 				return (0);
 			}
 		} else {
-			uint16_t tmp, cut;
+			uint32_t tmp;
+			uint16_t cut;
 
 			if (low > high) {
 				tmp = low;
@@ -269,7 +270,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf
 			/* low < high */
 			cut = arc4random() % (1 + high - low) + low;
 			/* low <= cut <= high */
-			for (tmp = cut; tmp <= high; ++(tmp)) {
+			for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) {
 				key.port[1] = htons(tmp);
 				if (pf_find_state_all(&key, PF_IN, NULL) ==
 				    NULL) {
@@ -277,7 +278,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf
 					return (0);
 				}
 			}
-			for (tmp = cut - 1; tmp >= low; --(tmp)) {
+			tmp = cut;
+			for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) {
 				key.port[1] = htons(tmp);
 				if (pf_find_state_all(&key, PF_IN, NULL) ==
 				    NULL) {

More information about the svn-src-stable-11 mailing list