diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-11-29 18:50:21 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-11-29 18:57:24 +0000 |
| commit | d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955 (patch) | |
| tree | 744c0f84b4e7be3f8366a2034fb5d8bdf2928f2b | |
| parent | 3dd3a395ba975d0fbe13320e6e69fb85b037da5e (diff) | |
| download | src-d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955.tar.gz src-d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955.zip | |
dummynet: Avoid an out-of-bounds read in do_config()
do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.
Restructure the loop to avoid this.
Reported by: Jenkins (KASAN job)
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33132
| -rw-r--r-- | sys/netpfil/ipfw/ip_dummynet.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c index a890507f7b31..919445ff71d0 100644 --- a/sys/netpfil/ipfw/ip_dummynet.c +++ b/sys/netpfil/ipfw/ip_dummynet.c @@ -2011,7 +2011,9 @@ do_config(void *p, int l) } arg = NULL; dn = NULL; - for (off = 0; l >= sizeof(o); memcpy(&o, (char *)p + off, sizeof(o))) { + off = 0; + while (l >= sizeof(o)) { + memcpy(&o, (char *)p + off, sizeof(o)); if (o.len < sizeof(o) || l < o.len) { D("bad len o.len %d len %d", o.len, l); err = EINVAL; |