Module Name:    src
Committed By:   maxv
Date:           Fri Feb  9 21:25:04 UTC 2018

Modified Files:
        src/sys/dist/pf/net: pf.c

Log Message:
Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.

It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.

This bug was reported 8 years ago by Lucio Albornoz in PR/44059.


To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/dist/pf/net/pf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dist/pf/net/pf.c
diff -u src/sys/dist/pf/net/pf.c:1.77 src/sys/dist/pf/net/pf.c:1.78
--- src/sys/dist/pf/net/pf.c:1.77	Tue Oct 31 15:00:03 2017
+++ src/sys/dist/pf/net/pf.c	Fri Feb  9 21:25:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf.c,v 1.77 2017/10/31 15:00:03 christos Exp $	*/
+/*	$NetBSD: pf.c,v 1.78 2018/02/09 21:25:04 maxv Exp $	*/
 /*	$OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */
 
 /*
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.77 2017/10/31 15:00:03 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.78 2018/02/09 21:25:04 maxv Exp $");
 
 #include "pflog.h"
 
@@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off
 	struct sackblk sack;
 
 #ifdef __NetBSD__
-#define	TCPOLEN_SACK (2 * sizeof(uint32_t))
+#define	TCPOLEN_SACK		8		/* 2*sizeof(tcp_seq) */
 #endif
 
 #define TCPOLEN_SACKLEN	(TCPOLEN_SACK + 2)

Reply via email to