pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer.
The current ifa_load() is not paranoid enough when it deals with information which comes from kernel. The function just ignores sa_len member in socket address returned getifaddrs(). The issue has been reported by anton@. The idea for fix here comes fromy claudio@. OK @claudio, @deraadt Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a48d060175 Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
@@ -1598,11 +1598,17 @@ ifa_load(void)
|
||||
copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr);
|
||||
ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family;
|
||||
copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask);
|
||||
if (ifa->ifa_broadaddr != NULL) {
|
||||
if (ifa->ifa_broadaddr != NULL &&
|
||||
ifa->ifa_broadaddr->sa_len != 0) {
|
||||
ifa->ifa_broadaddr->sa_family =
|
||||
ifa->ifa_addr->sa_family;
|
||||
ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family;
|
||||
copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr);
|
||||
}
|
||||
if (ifa->ifa_dstaddr != NULL) {
|
||||
if (ifa->ifa_dstaddr != NULL &&
|
||||
ifa->ifa_dstaddr->sa_len != 0) {
|
||||
ifa->ifa_dstaddr->sa_family =
|
||||
ifa->ifa_addr->sa_family;
|
||||
ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family;
|
||||
copy_satopfaddr(&n->peer, ifa->ifa_dstaddr);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user