ipfilter: Avoid negative array indicies
Array indices must always be posive. We avoid this by making each index unsigned. This mitigates out-of-bounds reads and writes. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: glebius MFC after: 3 days Differential revision: https://reviews.freebsd.org/D55260
This commit is contained in:
@@ -8530,7 +8530,7 @@ ipf_matcharray_load(ipf_main_softc_t *softc, caddr_t data, ipfobj_t *objp,
|
||||
int
|
||||
ipf_matcharray_verify(int *array, int arraysize)
|
||||
{
|
||||
int i, nelem, maxidx;
|
||||
u_int i, nelem, maxidx;
|
||||
ipfexp_t *e;
|
||||
|
||||
nelem = arraysize / sizeof(*array);
|
||||
@@ -8591,7 +8591,7 @@ ipf_matcharray_verify(int *array, int arraysize)
|
||||
static int
|
||||
ipf_fr_matcharray(fr_info_t *fin, int *array)
|
||||
{
|
||||
int i, n, *x, rv, p;
|
||||
u_int i, n, *x, rv, p;
|
||||
ipfexp_t *e;
|
||||
|
||||
rv = 0;
|
||||
|
||||
@@ -1473,7 +1473,7 @@ typedef struct ipfexp {
|
||||
int ipfe_cmd;
|
||||
int ipfe_not;
|
||||
int ipfe_narg;
|
||||
int ipfe_size;
|
||||
u_int ipfe_size;
|
||||
int ipfe_arg0[1];
|
||||
} ipfexp_t;
|
||||
|
||||
|
||||
@@ -4910,7 +4910,7 @@ ipf_state_matchflush(ipf_main_softc_t *softc, caddr_t data)
|
||||
static int
|
||||
ipf_state_matcharray(ipstate_t *state, int *array, u_long ticks)
|
||||
{
|
||||
int i, n, *x, rv, p;
|
||||
u_int i, n, *x, rv, p;
|
||||
ipfexp_t *e;
|
||||
|
||||
rv = 0;
|
||||
|
||||
Reference in New Issue
Block a user