On 2016-02-24 23:47:55 (-0800), Conrad Meyer wrote:
> On Wed, Feb 24, 2016 at 11:41 PM, Adrian Chadd wrote:
> > .. what's capping totlen so one doesn't run out of memory?
>
> There was a DoS vector before (user controlled io->pfrio_size) and
> basically the same DoS vector now (either of io->pfr
On Wed, Feb 24, 2016 at 11:41 PM, Adrian Chadd wrote:
> .. what's capping totlen so one doesn't run out of memory?
There was a DoS vector before (user controlled io->pfrio_size) and
basically the same DoS vector now (either of io->pfrio_size or
io->pfrio_size2). This change isn't a regression.
.. what's capping totlen so one doesn't run out of memory?
-a
On 24 February 2016 at 23:33, Kristof Provost wrote:
> Author: kp
> Date: Thu Feb 25 07:33:59 2016
> New Revision: 296025
> URL: https://svnweb.freebsd.org/changeset/base/296025
>
> Log:
> pf: Fix possible out-of-bounds write
>
>
Author: kp
Date: Thu Feb 25 07:33:59 2016
New Revision: 296025
URL: https://svnweb.freebsd.org/changeset/base/296025
Log:
pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users