The branch releng/15.0 has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f69df16fcc204e2ec651c8465343611f370c2f8e

commit f69df16fcc204e2ec651c8465343611f370c2f8e
Author:     Mariusz Zaborski <[email protected]>
AuthorDate: 2026-05-12 08:33:41 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2026-05-19 23:52:31 +0000

    cap_net: do not allow new limits to drop keys from the old ones
    
    If the old limit had family/hosts/sockaddr set, the new limit must
    have them too. Before, a missing key in the new limit was treated as
    "allow any", which let a caller silently extend their limits.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:24.cap_net
    Security:       CVE-2026-45254
    Reported by:    Joshua Rogers of AISLE Research Team
    Reviewed by:    markj
    MFC after:      1 day
    Differential Revision:  https://reviews.freebsd.org/D56991
    
    (cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
    (cherry picked from commit 7eb3fd691d64dd42f9d32e04cb9b5811fd7c8e55)
---
 lib/libcasper/services/cap_net/cap_net.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/lib/libcasper/services/cap_net/cap_net.c 
b/lib/libcasper/services/cap_net/cap_net.c
index 5887fe3c407e..67eec73cae7e 100644
--- a/lib/libcasper/services/cap_net/cap_net.c
+++ b/lib/libcasper/services/cap_net/cap_net.c
@@ -1122,12 +1122,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, 
nvlist_t *nvlout)
        return (0);
 }
 
+/*
+ * If the old sublimit restricted a subkey, the new one must too;
+ * a missing subkey means "allow any" at request time.
+ */
+static bool
+verify_subkeys_present(const nvlist_t *oldfunclimits,
+    const nvlist_t *newfunclimit)
+{
+       void *cookie;
+       const char *name;
+
+       if (oldfunclimits == NULL)
+               return (true);
+
+       cookie = NULL;
+       while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) {
+               if (!nvlist_exists(newfunclimit, name))
+                       return (false);
+       }
+       return (true);
+}
+
 static bool
 verify_only_sa_newlimts(const nvlist_t *oldfunclimits,
     const nvlist_t *newfunclimit)
 {
        void *cookie;
 
+       if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+               return (false);
+
        cookie = NULL;
        while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
                void *sacookie;
@@ -1200,6 +1225,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits,
                    LIMIT_NV_ADDR2NAME, NULL);
        }
 
+       if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+               return (false);
+
        cookie = NULL;
        while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
                if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) {
@@ -1258,6 +1286,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits,
                    LIMIT_NV_NAME2ADDR, NULL);
        }
 
+       if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+               return (false);
+
        cookie = NULL;
        while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
                if (strcmp(cnvlist_name(cookie), "hosts") == 0) {

Reply via email to