Module Name: src
Committed By: drochner
Date: Wed Jan 19 19:58:02 UTC 2011
Modified Files:
src/sys/dist/pf/net: pf_ioctl.c
Log Message:
make sure the "overload_tbl" member of "struct pf_rule" copied in
from userland is initialized (it is used by the kernel only)
fixes crash or data injection (CVE-2010-3830), usually by root user only
OpenBSD has rewritten the code to start with a zero'd struct and fills
in needed parts only - to be considered in case a newer pf version
is imported.
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/sys/dist/pf/net/pf_ioctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dist/pf/net/pf_ioctl.c
diff -u src/sys/dist/pf/net/pf_ioctl.c:1.42 src/sys/dist/pf/net/pf_ioctl.c:1.43
--- src/sys/dist/pf/net/pf_ioctl.c:1.42 Fri May 7 17:41:57 2010
+++ src/sys/dist/pf/net/pf_ioctl.c Wed Jan 19 19:58:02 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pf_ioctl.c,v 1.42 2010/05/07 17:41:57 degroote Exp $ */
+/* $NetBSD: pf_ioctl.c,v 1.43 2011/01/19 19:58:02 drochner Exp $ */
/* $OpenBSD: pf_ioctl.c,v 1.182 2007/06/24 11:17:13 mcbride Exp $ */
/*
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.42 2010/05/07 17:41:57 degroote Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.43 2011/01/19 19:58:02 drochner Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1496,6 +1496,7 @@
if (pf_tbladdr_setup(ruleset, &pa->addr))
error = EINVAL;
+ rule->overload_tbl = NULL;
if (rule->overload_tblname[0]) {
if ((rule->overload_tbl = pfr_attach_table(ruleset,
rule->overload_tblname)) == NULL)
@@ -1747,6 +1748,7 @@
if (pf_tbladdr_setup(ruleset, &pa->addr))
error = EINVAL;
+ newrule->overload_tbl = NULL;
if (newrule->overload_tblname[0]) {
if ((newrule->overload_tbl = pfr_attach_table(
ruleset, newrule->overload_tblname)) ==
