git: f8d1f2da0922 - stable/12 - pf: Slightly relax pf_rule_addr validation

Kristof Provost Wed, 17 Feb 2021 05:06:18 -0800

The branch stable/12 has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f8d1f2da0922fdff846b13baa7315652b43aa95c


commit f8d1f2da0922fdff846b13baa7315652b43aa95c
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2021-02-13 15:31:52 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2021-02-17 09:11:19 +0000

    pf: Slightly relax pf_rule_addr validation
    
    Ensure we don't reject no-route / urpf-failed addresses.
    
    PR:             253479
    Reported by:    michal AT microwave.sk
    Revied by:      donner@
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D28650
    
    (cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
---
 sys/netpfil/pf/pf_ioctl.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index bbb9cfe39586..edf147699235 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1558,9 +1558,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct 
pf_rule *rule)
        rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
 }
 
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+       switch (addr->addr.type) {
+       case PF_ADDR_ADDRMASK:
+       case PF_ADDR_NOROUTE:
+       case PF_ADDR_DYNIFTL:
+       case PF_ADDR_TABLE:
+       case PF_ADDR_URPFFAILED:
+       case PF_ADDR_RANGE:
+               break;
+       default:
+               return (EINVAL);
+       }
+
+       if (addr->addr.p.dyn != NULL) {
+               return (EINVAL);
+       }
+
+       return (0);
+}
+
 static int
 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
 {
+       int ret;
 
 #ifndef INET
        if (rule->af == AF_INET) {
@@ -1573,23 +1597,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct 
pf_krule *krule)
        }
 #endif /* INET6 */
 
-       if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
-           rule->src.addr.type != PF_ADDR_DYNIFTL &&
-           rule->src.addr.type != PF_ADDR_TABLE) {
-               return (EINVAL);
-       }
-       if (rule->src.addr.p.dyn != NULL) {
-               return (EINVAL);
-       }
-
-       if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
-           rule->dst.addr.type != PF_ADDR_DYNIFTL &&
-           rule->dst.addr.type != PF_ADDR_TABLE) {
-               return (EINVAL);
-       }
-       if (rule->dst.addr.p.dyn != NULL) {
-               return (EINVAL);
-       }
+       ret = pf_check_rule_addr(&rule->src);
+       if (ret != 0)
+               return (ret);
+       ret = pf_check_rule_addr(&rule->dst);
+       if (ret != 0)
+               return (ret);
 
        bzero(krule, sizeof(*krule));
 
_______________________________________________
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"

git: f8d1f2da0922 - stable/12 - pf: Slightly relax pf_rule_addr validation

Reply via email to