Author: markj Date: Tue Nov 24 16:18:47 2020 New Revision: 367987 URL: https://svnweb.freebsd.org/changeset/base/367987
Log: pf: Make tag hashing more robust tagname2tag() hashes the tag name before truncating it to 63 characters. tag_unref() removes the tag from the name hash by computing the hash over the truncated name. Ensure that both operations compute the same hash for a given tag. The larger issue is a lack of string validation in pf(4) ioctl handlers. This is intended to be fixed with some future work, but an extra safety belt in tagname2hashindex() is worthwhile regardless. Reported by: syzbot+a0988828aafb00de7...@syzkaller.appspotmail.com Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27346 Modified: head/sys/netpfil/pf/pf_ioctl.c Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Tue Nov 24 15:32:25 2020 (r367986) +++ head/sys/netpfil/pf/pf_ioctl.c Tue Nov 24 16:18:47 2020 (r367987) @@ -512,8 +512,10 @@ pf_cleanup_tagset(struct pf_tagset *ts) static uint16_t tagname2hashindex(const struct pf_tagset *ts, const char *tagname) { + size_t len; - return (murmur3_32_hash(tagname, strlen(tagname), ts->seed) & ts->mask); + len = strnlen(tagname, PF_TAG_NAME_SIZE - 1); + return (murmur3_32_hash(tagname, len, ts->seed) & ts->mask); } static uint16_t _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
