pf: fix incorrect table decoding in netlink
We used nla_p_table for pfr_table structures, but this netlink decoder was intended for pfioc_table and decoded an extra field, outside of pfr_table. This allowed userspace to write (slightly) outside of pfr_table. Use a separate nlattr_parser for pfr_table. PR: 295218 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
@@ -2189,7 +2189,14 @@ nlattr_get_pfr_addr(struct nlattr *nla, struct nl_pstate *npt, const void *arg,
|
||||
return (0);
|
||||
}
|
||||
|
||||
NL_DECLARE_ATTR_PARSER(nested_table_parser, nla_p_table);
|
||||
#define _OUT(_field) offsetof(struct pfr_table, _field)
|
||||
static const struct nlattr_parser nla_p_pfrtable[] = {
|
||||
{ .type = PF_T_ANCHOR, .off = _OUT(pfrt_anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
|
||||
{ .type = PF_T_NAME, .off = _OUT(pfrt_name), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara },
|
||||
{ .type = PF_T_TABLE_FLAGS, .off = _OUT(pfrt_flags), .cb = nlattr_get_uint32 },
|
||||
};
|
||||
#undef _OUT
|
||||
NL_DECLARE_ATTR_PARSER(nested_table_parser, nla_p_pfrtable);
|
||||
|
||||
#define _OUT(_field) offsetof(struct nl_parsed_table_addrs, _field)
|
||||
static const struct nlattr_parser nla_p_table_addr[] = {
|
||||
|
||||
Reference in New Issue
Block a user