Bug 221201 - [pf] Prevent possible endless loop when searching for an unused nat port
Summary: [pf] Prevent possible endless loop when searching for an unused nat port
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Kristof Provost
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2017-08-03 13:05 UTC by Fabian Keil
Modified: 2017-08-30 01:32 UTC (History)
1 user (show)

See Also:
fk: mfc-stable10?
emaste: mfc-stable11+


Attachments
pf_pf_get_sport(): Prevent possible endless loop when searching for an unused nat port (2.00 KB, patch)
2017-08-03 13:05 UTC, Fabian Keil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Keil 2017-08-03 13:05:57 UTC
Created attachment 184989 [details]
pf_pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

Attached is a "port" of Alexander Bluhm's OpenBSD commit r1.60.
The first chunk had to be modified because on OpenBSD the
'cut' declaration is located elsewhere.

OpenBSD commit message:
 Use a 32 bit variable to detect integer overflow when searching for
 an unused nat port.  Prevents a possible endless loop if high port
 is 65535 or low port is 0.
 report and analysis Jingmin Zhou; OK sashan@ visa@
Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c

Upstream report by Jingmin Zhou:
https://marc.info/?l=openbsd-pf&m=150020133510896&w=2

Obtained from: OpenBSD via ElectroBSD
Comment 1 commit-hook freebsd_committer 2017-08-08 21:09:48 UTC
A commit references this bug:

Author: kp
Date: Tue Aug  8 21:09:26 UTC 2017
New revision: 322280
URL: https://svnweb.freebsd.org/changeset/base/322280

Log:
  pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

  This is an import of Alexander Bluhm's OpenBSD commit r1.60,
  the first chunk had to be modified because on OpenBSD the
  'cut' declaration is located elsewhere.

  Upstream report by Jingmin Zhou:
  https://marc.info/?l=openbsd-pf&m=150020133510896&w=2

  OpenBSD commit message:
   Use a 32 bit variable to detect integer overflow when searching for
   an unused nat port.  Prevents a possible endless loop if high port
   is 65535 or low port is 0.
   report and analysis Jingmin Zhou; OK sashan@ visa@
  Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c

  PR:		221201
  Submitted by:	Fabian Keil <fk@fabiankeil.de>
  Obtained from:  OpenBSD via ElectroBSD
  MFC after:	1 week

Changes:
  head/sys/netpfil/pf/pf_lb.c
Comment 2 commit-hook freebsd_committer 2017-08-16 19:52:53 UTC
A commit references this bug:

Author: kp
Date: Wed Aug 16 19:52:32 UTC 2017
New revision: 322591
URL: https://svnweb.freebsd.org/changeset/base/322591

Log:
  MFC r322280:
  pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

  This is an import of Alexander Bluhm's OpenBSD commit r1.60,
  the first chunk had to be modified because on OpenBSD the
  'cut' declaration is located elsewhere.

  Upstream report by Jingmin Zhou:
  https://marc.info/?l=openbsd-pf&m=150020133510896&w=2

  OpenBSD commit message:
   Use a 32 bit variable to detect integer overflow when searching for
   an unused nat port.  Prevents a possible endless loop if high port
   is 65535 or low port is 0.
   report and analysis Jingmin Zhou; OK sashan@ visa@
  Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c

  PR:		221201
  Submitted by:	Fabian Keil <fk@fabiankeil.de>
  Obtained from:	OpenBSD via ElectroBSD

Changes:
_U  stable/11/
  stable/11/sys/netpfil/pf/pf_lb.c