FreeBSD Bugzilla – Attachment 184989 Details for
Bug 221201
[pf] Prevent possible endless loop when searching for an unused nat port
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
pf_pf_get_sport(): Prevent possible endless loop when searching for an unused nat port
pf_get_sport-Prevent-possible-endless-loop.diff (text/plain), 2.00 KB, created by
Fabian Keil
on 2017-08-03 13:05:57 UTC
(
hide
)
Description:
pf_pf_get_sport(): Prevent possible endless loop when searching for an unused nat port
Filename:
MIME Type:
Creator:
Fabian Keil
Created:
2017-08-03 13:05:57 UTC
Size:
2.00 KB
patch
obsolete
>From 6225f6bbc290bd8cc151db191de77471133bea0e Mon Sep 17 00:00:00 2001 >From: Fabian Keil <fk@fabiankeil.de> >Date: Wed, 12 Jul 2017 17:17:04 +0200 >Subject: [PATCH] pf_get_sport(): Prevent possible endless loop when searching > for an unused nat port > >This is an import of Alexander Bluhm's OpenBSD commit r1.60, >the first chunk had to be modified because on OpenBSD the >'cut' declaration is located elsewhere. > >Upstream report by Jingmin Zhou: >https://marc.info/?l=openbsd-pf&m=150020133510896&w=2 > >OpenBSD commit message: > Use a 32 bit variable to detect integer overflow when searching for > an unused nat port. Prevents a possible endless loop if high port > is 65535 or low port is 0. > report and analysis Jingmin Zhou; OK sashan@ visa@ >Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c > >Obtained from: OpenBSD via ElectroBSD >--- > sys/netpfil/pf/pf_lb.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > >diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c >index eac531795ce8..9f1b1dfbe26c 100644 >--- a/sys/netpfil/pf/pf_lb.c >+++ b/sys/netpfil/pf/pf_lb.c >@@ -259,7 +259,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, > return (0); > } > } else { >- uint16_t tmp, cut; >+ uint32_t tmp; >+ uint16_t cut; > > if (low > high) { > tmp = low; >@@ -269,7 +270,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, > /* low < high */ > cut = arc4random() % (1 + high - low) + low; > /* low <= cut <= high */ >- for (tmp = cut; tmp <= high; ++(tmp)) { >+ for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) { > key.port[1] = htons(tmp); > if (pf_find_state_all(&key, PF_IN, NULL) == > NULL) { >@@ -277,7 +278,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, > return (0); > } > } >- for (tmp = cut - 1; tmp >= low; --(tmp)) { >+ tmp = cut; >+ for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) { > key.port[1] = htons(tmp); > if (pf_find_state_all(&key, PF_IN, NULL) == > NULL) { >-- >2.13.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=184989">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 221201
: 184989