system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-09 04:36:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

pfctl: fix possible out-of-bounds read

Browse Source 
Tags in $10 (filter_opts) are not guaranteed to be the maximum possible
tag length, so memcpy() can end up reading outside of the allocated
buffer.

Use strlcpy() instead.

Reported by:	CheriBSD
Event:		Kitchener-Waterloo Hackathon 202406
This commit is contained in:
Kristof Provost 2024-06-05 17:55:37 -04:00
parent 8f04209d37
commit dc3ee89c86
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sbin/pfctl/parse.y
View File

@ -1230,7 +1230,7 @@ etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fro
r.direction = $3;
r.quick = $4.quick;
if ($10.tag != NULL)
memcpy(&r.tagname, $10.tag, sizeof(r.tagname));
strlcpy(r.tagname, $10.tag, sizeof(r.tagname));
if ($10.match_tag)
if (strlcpy(r.match_tagname, $10.match_tag,
PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
@ -1240,7 +1240,7 @@ etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fro
}
r.match_tag_not = $10.match_tag_not;
if ($10.queues.qname != NULL)
memcpy(&r.qname, $10.queues.qname, sizeof(r.qname));
strlcpy(r.qname, $10.queues.qname, sizeof(r.qname));
r.dnpipe = $10.dnpipe;
r.dnflags = $10.free_flags;
if (eth_rule_label(&r, $10.label))