svn commit: r332492 - stable/10/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Fri Apr 13 21:19:06 2018
New Revision: 332492
URL: https://svnweb.freebsd.org/changeset/base/332492

Log:
  MFC r332136:
  
  pf: Improve ioctl validation for DIOCIGETIFACES and DIOCXCOMMIT
  
  These ioctls can process a number of items at a time, which puts us at
  risk of overflow in mallocarray() and of impossibly large allocations
  even if we don't overflow.
  
  There's no obvious limit to the request size for these, so we limit the
  requests to something which won't overflow. Change the memory allocation
  to M_NOWAIT so excessive requests will fail rather than stall forever.

Modified:
  stable/10/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_ioctl.c Fri Apr 13 21:19:03 2018        
(r332491)
+++ stable/10/sys/netpfil/pf/pf_ioctl.c Fri Apr 13 21:19:06 2018        
(r332492)
@@ -3105,10 +3105,17 @@ DIOCCHANGEADDR_error:
                        error = ENODEV;
                        break;
                }
+
+               if (io->size < 0 ||
+                   WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
+                       error = EINVAL;
+                       break;
+               }
+
                totlen = sizeof(struct pfioc_trans_e) * io->size;
                ioes = mallocarray(io->size, sizeof(struct pfioc_trans_e),
-                   M_TEMP, M_WAITOK);
-               if (! ioes) {
+                   M_TEMP, M_NOWAIT);
+               if (ioes == NULL) {
                        error = ENOMEM;
                        break;
                }
@@ -3311,13 +3318,20 @@ DIOCCHANGEADDR_error:
                        break;
                }
 
+               if (io->pfiio_size < 0 ||
+                   WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
+                       error = EINVAL;
+                       break;
+               }
+
                bufsiz = io->pfiio_size * sizeof(struct pfi_kif);
                ifstore = mallocarray(io->pfiio_size, sizeof(struct pfi_kif),
-                   M_TEMP, M_WAITOK);
-               if (! ifstore) {
+                   M_TEMP, M_NOWAIT);
+               if (ifstore == NULL) {
                        error = ENOMEM;
                        break;
                }
+
                PF_RULES_RLOCK();
                pfi_get_ifaces(io->pfiio_name, ifstore, &io->pfiio_size);
                PF_RULES_RUNLOCK();
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"