pf: improve DIOCRCLRTABLES validation

Unterminated strings in the anchor or name could cause crashes.
Validate them, and add a test case.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after:	3 days
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2025-10-29 09:28:59 +01:00
parent 237cc7b408
commit 1da3c0ca5b
2 changed files with 44 additions and 0 deletions
+11
View File
@@ -4792,6 +4792,17 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
error = ENODEV;
goto fail;
}
if (strnlen(io->pfrio_table.pfrt_anchor, MAXPATHLEN)
== MAXPATHLEN) {
error = EINVAL;
goto fail;
}
if (strnlen(io->pfrio_table.pfrt_name, PF_TABLE_NAME_SIZE)
== PF_TABLE_NAME_SIZE) {
error = EINVAL;
goto fail;
}
PF_RULES_WLOCK();
error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel,
io->pfrio_flags | PFR_FLAG_USERIOCTL);
+33
View File
@@ -194,6 +194,38 @@ ATF_TC_CLEANUP(gettables, tc)
COMMON_CLEANUP();
}
ATF_TC_WITH_CLEANUP(clrtables);
ATF_TC_HEAD(clrtables, tc)
{
atf_tc_set_md_var(tc, "require.user", "root");
atf_tc_set_md_var(tc, "require.kmods", "pf");
}
ATF_TC_BODY(clrtables, tc)
{
struct pfioc_table io;
struct pfr_table tbl;
int flags;
COMMON_HEAD();
flags = 0;
memset(&io, '/', sizeof(io));
io.pfrio_flags = flags;
io.pfrio_buffer = &tbl;
io.pfrio_esize = 0;
io.pfrio_size = 1;
if (ioctl(dev, DIOCRCLRTABLES, &io) == 0)
atf_tc_fail("Request with unterminated anchor name succeeded");
}
ATF_TC_CLEANUP(clrtables, tc)
{
COMMON_CLEANUP();
}
ATF_TC_WITH_CLEANUP(gettstats);
ATF_TC_HEAD(gettstats, tc)
{
@@ -954,6 +986,7 @@ ATF_TP_ADD_TCS(tp)
ATF_TP_ADD_TC(tp, addtables);
ATF_TP_ADD_TC(tp, deltables);
ATF_TP_ADD_TC(tp, gettables);
ATF_TP_ADD_TC(tp, clrtables);
ATF_TP_ADD_TC(tp, getastats);
ATF_TP_ADD_TC(tp, gettstats);
ATF_TP_ADD_TC(tp, clrtstats);