os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
doc/share/security/patches/EN-20:04/pfctl.patch
Gordon Tetlow bc912e3b54 Add EN-20:03 through EN-20:06 and SA-20:04 through SA-20:09. 
Approved by:	so
2020-03-19 17:20:56 +00:00

155 lines
4.1 KiB
Diff
Raw Blame History

--- sys/netpfil/pf/pf.c.orig
+++ sys/netpfil/pf/pf.c
@@ -363,11 +363,14 @@
u_long pf_srchashmask;
static u_long pf_hashsize;
static u_long pf_srchashsize;
+u_long pf_ioctl_maxcount = 65535;
SYSCTL_ULONG(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN,
&pf_hashsize, 0, "Size of pf(4) states hashtable");
SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
&pf_srchashsize, 0, "Size of pf(4) source nodes hashtable");
+SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RDTUN,
+ &pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a single ioctl() call");
VNET_DEFINE(void *, pf_swi_cookie);
--- sys/netpfil/pf/pf_ioctl.c.orig
+++ sys/netpfil/pf/pf_ioctl.c
@@ -86,8 +86,6 @@
#include <net/altq/altq.h>
#endif
-#define PF_TABLES_MAX_REQUEST 65535 /* Maximum tables per request. */
-
static struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
u_int8_t, u_int8_t, u_int8_t);
@@ -215,6 +213,8 @@
/* pflog */
pflog_packet_t *pflog_packet_ptr = NULL;
+extern u_long pf_ioctl_maxcount;
+
static void
pfattach_vnet(void)
{
@@ -2528,7 +2528,8 @@
break;
}
- if (io->pfrio_size < 0 || io->pfrio_size > PF_TABLES_MAX_REQUEST) {
+ if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
+ WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
error = ENOMEM;
break;
}
@@ -2559,7 +2560,8 @@
break;
}
- if (io->pfrio_size < 0 || io->pfrio_size > PF_TABLES_MAX_REQUEST) {
+ if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
+ WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
error = ENOMEM;
break;
}
@@ -2732,6 +2734,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2769,6 +2772,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2810,7 +2814,8 @@
break;
}
count = max(io->pfrio_size, io->pfrio_size2);
- if (WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
+ if (count > pf_ioctl_maxcount ||
+ WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
}
@@ -2848,6 +2853,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2879,6 +2885,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_astats))) {
error = EINVAL;
break;
@@ -2910,6 +2917,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2947,6 +2955,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2984,6 +2993,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -3036,6 +3046,7 @@
break;
}
if (io->size < 0 ||
+ io->size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
error = EINVAL;
break;
@@ -3112,6 +3123,7 @@
break;
}
if (io->size < 0 ||
+ io->size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
error = EINVAL;
break;
@@ -3189,6 +3201,7 @@
}
if (io->size < 0 ||
+ io->size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
error = EINVAL;
break;
@@ -3407,6 +3420,7 @@
}
if (io->pfiio_size < 0 ||
+ io->pfiio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
error = EINVAL;
break;
Reference in a new issue View git blame Copy permalink