221201 – [pf] Prevent possible endless loop when searching for an unused nat port

Bug 221201 - [pf] Prevent possible endless loop when searching for an unused nat port

Summary: [pf] Prevent possible endless loop when searching for an unused nat port

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Kristof Provost

URL:
Keywords:	patch, security

Depends on:
Blocks:

Reported:	2017-08-03 13:05 UTC by Fabian Keil
Modified:	2018-02-26 01:47 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	emaste: mfc-stable11+ fk: mfc-stable10?

Attachments
pf_pf_get_sport(): Prevent possible endless loop when searching for an unused nat port (2.00 KB, patch) 2017-08-03 13:05 UTC, Fabian Keil	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fabian Keil 2017-08-03 13:05:57 UTC

Created attachment 184989 [details]
pf_pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

Attached is a "port" of Alexander Bluhm's OpenBSD commit r1.60.
The first chunk had to be modified because on OpenBSD the
'cut' declaration is located elsewhere.

OpenBSD commit message:
 Use a 32 bit variable to detect integer overflow when searching for
 an unused nat port.  Prevents a possible endless loop if high port
 is 65535 or low port is 0.
 report and analysis Jingmin Zhou; OK sashan@ visa@
Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c

Upstream report by Jingmin Zhou:
https://marc.info/?l=openbsd-pf&m=150020133510896&w=2

Obtained from: OpenBSD via ElectroBSD

Comment 1 commit-hook freebsd_committer

2017-08-08 21:09:48 UTC

A commit references this bug:

Author: kp
Date: Tue Aug  8 21:09:26 UTC 2017
New revision: 322280
URL: https://svnweb.freebsd.org/changeset/base/322280

Log:
  pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

  This is an import of Alexander Bluhm's OpenBSD commit r1.60,
  the first chunk had to be modified because on OpenBSD the
  'cut' declaration is located elsewhere.

  Upstream report by Jingmin Zhou:
  https://marc.info/?l=openbsd-pf&m=150020133510896&w=2

  OpenBSD commit message:
   Use a 32 bit variable to detect integer overflow when searching for
   an unused nat port.  Prevents a possible endless loop if high port
   is 65535 or low port is 0.
   report and analysis Jingmin Zhou; OK sashan@ visa@
  Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c

  PR:		221201
  Submitted by:	Fabian Keil <fk@fabiankeil.de>
  Obtained from:  OpenBSD via ElectroBSD
  MFC after:	1 week

Changes:
  head/sys/netpfil/pf/pf_lb.c

Comment 2 commit-hook freebsd_committer

2017-08-16 19:52:53 UTC

A commit references this bug:

Author: kp
Date: Wed Aug 16 19:52:32 UTC 2017
New revision: 322591
URL: https://svnweb.freebsd.org/changeset/base/322591

Log:
  MFC r322280:
  pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

  This is an import of Alexander Bluhm's OpenBSD commit r1.60,
  the first chunk had to be modified because on OpenBSD the
  'cut' declaration is located elsewhere.

  Upstream report by Jingmin Zhou:
  https://marc.info/?l=openbsd-pf&m=150020133510896&w=2

  OpenBSD commit message:
   Use a 32 bit variable to detect integer overflow when searching for
   an unused nat port.  Prevents a possible endless loop if high port
   is 65535 or low port is 0.
   report and analysis Jingmin Zhou; OK sashan@ visa@
  Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c

  PR:		221201
  Submitted by:	Fabian Keil <fk@fabiankeil.de>
  Obtained from:	OpenBSD via ElectroBSD

Changes:
_U  stable/11/
  stable/11/sys/netpfil/pf/pf_lb.c