diff options
author | Kristof Provost <kp@FreeBSD.org> | 2020-04-17 14:35:11 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2020-04-17 14:35:11 +0000 |
commit | 95324dc3f4d20b9ecced5e9be776962719a1888a (patch) | |
tree | 4db5a3b23ccc1c0e39cb15ee28cc8dbc7c3752fc /sys/netpfil/pf/pf_ioctl.c | |
parent | 4e49fbcd3721e3fd34a6ff4808f8cca8d96e050a (diff) | |
download | src-95324dc3f4d20b9ecced5e9be776962719a1888a.tar.gz src-95324dc3f4d20b9ecced5e9be776962719a1888a.zip |
pf: Do not allow negative ps_len in DIOCGETSTATES
Userspace may pass a negative ps_len value to us, which causes an
assertion failure in malloc().
Treat negative values as zero, i.e. return the required size.
Reported-by: syzbot+53370d9d0358ee2a059a@syzkaller.appspotmail.com
Reviewed by: lutz at donnerhacke.de
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D24447
Notes
Notes:
svn path=/head/; revision=360042
Diffstat (limited to 'sys/netpfil/pf/pf_ioctl.c')
-rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index a216ee0aa64a..a1b973edb557 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2163,7 +2163,7 @@ relock_DIOCKILLSTATES: struct pfsync_state *pstore, *p; int i, nr; - if (ps->ps_len == 0) { + if (ps->ps_len <= 0) { nr = uma_zone_get_cur(V_pf_state_z); ps->ps_len = sizeof(struct pfsync_state) * nr; break; |