Wed Jan 19 19:58:02 2011 UTC ()
make sure the "overload_tbl" member of "struct pf_rule" copied in
from userland is initialized (it is used by the kernel only)
fixes crash or data injection (CVE-2010-3830), usually by root user only
OpenBSD has rewritten the code to start with a zero'd struct and fills
in needed parts only - to be considered in case a newer pf version
is imported.


(drochner)
diff -r1.42 -r1.43 src/sys/dist/pf/net/pf_ioctl.c
cvs diff -r1.42 -r1.43 src/sys/dist/pf/net/pf_ioctl.c (expand / switch to unified diff)

--- src/sys/dist/pf/net/pf_ioctl.c 2010/05/07 17:41:57 1.42
+++ src/sys/dist/pf/net/pf_ioctl.c 2011/01/19 19:58:02 1.43
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: pf_ioctl.c,v 1.42 2010/05/07 17:41:57 degroote Exp $ */ 1/* $NetBSD: pf_ioctl.c,v 1.43 2011/01/19 19:58:02 drochner Exp $ */
2/* $OpenBSD: pf_ioctl.c,v 1.182 2007/06/24 11:17:13 mcbride Exp $ */ 2/* $OpenBSD: pf_ioctl.c,v 1.182 2007/06/24 11:17:13 mcbride Exp $ */
3 3
4/* 4/*
5 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2001 Daniel Hartmeier
6 * Copyright (c) 2002,2003 Henning Brauer 6 * Copyright (c) 2002,2003 Henning Brauer
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 12 *
13 * - Redistributions of source code must retain the above copyright 13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
@@ -27,27 +27,27 @@ @@ -27,27 +27,27 @@
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE. 31 * POSSIBILITY OF SUCH DAMAGE.
32 * 32 *
33 * Effort sponsored in part by the Defense Advanced Research Projects 33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force 34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
36 * 36 *
37 */ 37 */
38 38
39#include <sys/cdefs.h> 39#include <sys/cdefs.h>
40__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.42 2010/05/07 17:41:57 degroote Exp $"); 40__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.43 2011/01/19 19:58:02 drochner Exp $");
41 41
42#ifdef _KERNEL_OPT 42#ifdef _KERNEL_OPT
43#include "opt_inet.h" 43#include "opt_inet.h"
44#include "opt_pfil_hooks.h" 44#include "opt_pfil_hooks.h"
45#endif 45#endif
46 46
47#include "pfsync.h" 47#include "pfsync.h"
48 48
49#include <sys/param.h> 49#include <sys/param.h>
50#include <sys/systm.h> 50#include <sys/systm.h>
51#include <sys/mbuf.h> 51#include <sys/mbuf.h>
52#include <sys/filio.h> 52#include <sys/filio.h>
53#include <sys/fcntl.h> 53#include <sys/fcntl.h>
@@ -1486,26 +1486,27 @@ pfioctl(dev_t dev, u_long cmd, void *add @@ -1486,26 +1486,27 @@ pfioctl(dev_t dev, u_long cmd, void *add
1486 error = EINVAL; 1486 error = EINVAL;
1487 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af)) 1487 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af))
1488 error = EINVAL; 1488 error = EINVAL;
1489 if (pf_tbladdr_setup(ruleset, &rule->src.addr)) 1489 if (pf_tbladdr_setup(ruleset, &rule->src.addr))
1490 error = EINVAL; 1490 error = EINVAL;
1491 if (pf_tbladdr_setup(ruleset, &rule->dst.addr)) 1491 if (pf_tbladdr_setup(ruleset, &rule->dst.addr))
1492 error = EINVAL; 1492 error = EINVAL;
1493 if (pf_anchor_setup(rule, ruleset, pr->anchor_call)) 1493 if (pf_anchor_setup(rule, ruleset, pr->anchor_call))
1494 error = EINVAL; 1494 error = EINVAL;
1495 TAILQ_FOREACH(pa, &pf_pabuf, entries) 1495 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1496 if (pf_tbladdr_setup(ruleset, &pa->addr)) 1496 if (pf_tbladdr_setup(ruleset, &pa->addr))
1497 error = EINVAL; 1497 error = EINVAL;
1498 1498
 1499 rule->overload_tbl = NULL;
1499 if (rule->overload_tblname[0]) { 1500 if (rule->overload_tblname[0]) {
1500 if ((rule->overload_tbl = pfr_attach_table(ruleset, 1501 if ((rule->overload_tbl = pfr_attach_table(ruleset,
1501 rule->overload_tblname)) == NULL) 1502 rule->overload_tblname)) == NULL)
1502 error = EINVAL; 1503 error = EINVAL;
1503 else 1504 else
1504 rule->overload_tbl->pfrkt_flags |= 1505 rule->overload_tbl->pfrkt_flags |=
1505 PFR_TFLAG_ACTIVE; 1506 PFR_TFLAG_ACTIVE;
1506 } 1507 }
1507 1508
1508 pf_mv_pool(&pf_pabuf, &rule->rpool.list); 1509 pf_mv_pool(&pf_pabuf, &rule->rpool.list);
1509 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || 1510 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
1510 (rule->action == PF_BINAT)) && rule->anchor == NULL) || 1511 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
1511 (rule->rt > PF_FASTROUTE)) && 1512 (rule->rt > PF_FASTROUTE)) &&
@@ -1737,26 +1738,27 @@ pfioctl(dev_t dev, u_long cmd, void *add @@ -1737,26 +1738,27 @@ pfioctl(dev_t dev, u_long cmd, void *add
1737 error = EINVAL; 1738 error = EINVAL;
1738 if (pfi_dynaddr_setup(&newrule->dst.addr, newrule->af)) 1739 if (pfi_dynaddr_setup(&newrule->dst.addr, newrule->af))
1739 error = EINVAL; 1740 error = EINVAL;
1740 if (pf_tbladdr_setup(ruleset, &newrule->src.addr)) 1741 if (pf_tbladdr_setup(ruleset, &newrule->src.addr))
1741 error = EINVAL; 1742 error = EINVAL;
1742 if (pf_tbladdr_setup(ruleset, &newrule->dst.addr)) 1743 if (pf_tbladdr_setup(ruleset, &newrule->dst.addr))
1743 error = EINVAL; 1744 error = EINVAL;
1744 if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call)) 1745 if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call))
1745 error = EINVAL; 1746 error = EINVAL;
1746 TAILQ_FOREACH(pa, &pf_pabuf, entries) 1747 TAILQ_FOREACH(pa, &pf_pabuf, entries)
1747 if (pf_tbladdr_setup(ruleset, &pa->addr)) 1748 if (pf_tbladdr_setup(ruleset, &pa->addr))
1748 error = EINVAL; 1749 error = EINVAL;
1749 1750
 1751 newrule->overload_tbl = NULL;
1750 if (newrule->overload_tblname[0]) { 1752 if (newrule->overload_tblname[0]) {
1751 if ((newrule->overload_tbl = pfr_attach_table( 1753 if ((newrule->overload_tbl = pfr_attach_table(
1752 ruleset, newrule->overload_tblname)) == 1754 ruleset, newrule->overload_tblname)) ==
1753 NULL) 1755 NULL)
1754 error = EINVAL; 1756 error = EINVAL;
1755 else 1757 else
1756 newrule->overload_tbl->pfrkt_flags |= 1758 newrule->overload_tbl->pfrkt_flags |=
1757 PFR_TFLAG_ACTIVE; 1759 PFR_TFLAG_ACTIVE;
1758 } 1760 }
1759 1761
1760 pf_mv_pool(&pf_pabuf, &newrule->rpool.list); 1762 pf_mv_pool(&pf_pabuf, &newrule->rpool.list);
1761 if (((((newrule->action == PF_NAT) || 1763 if (((((newrule->action == PF_NAT) ||
1762 (newrule->action == PF_RDR) || 1764 (newrule->action == PF_RDR) ||