Differential D33132

dummynet: Avoid an out-of-bounds read in do_config()
ClosedPublic
Actions

Authored by markj on Nov 26 2021, 4:01 PM.

Tags

None

Referenced Files

	F102645501: D33132.diff
	Fri, Nov 15, 7:01 AM

	Unknown Object (File)
	Sep 30 2024, 1:47 AM

	Unknown Object (File)
	Sep 20 2024, 10:58 AM

	Unknown Object (File)
	Sep 18 2024, 8:14 PM

	Unknown Object (File)
	Sep 6 2024, 1:28 PM

	Unknown Object (File)
	Sep 6 2024, 1:55 AM

	Unknown Object (File)
	Aug 24 2024, 1:44 PM

	Unknown Object (File)
	Aug 18 2024, 1:10 AM

View All 39 Files

Subscribers

Details

Reviewers

Commits

rGd5ea04ee7ba6: dummynet: Avoid an out-of-bounds read in do_config()

Summary

do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.

Restructure the loop to avoid this.

Reported by: Jenkins (KASAN job)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 42981
Build 39869: arc lint + arc unit

Event Timeline

markj created this revision.Nov 26 2021, 4:01 PM

Herald added subscribers: glebius, donner, melifaro and 2 others. · View Herald TranscriptNov 26 2021, 4:01 PM

markj requested review of this revision.Nov 26 2021, 4:01 PM

markj added a child revision: D33133: dummynet: Fix socket option length validation for IP_DUMMYNET3.

Harbormaster completed remote builds in B42981: Diff 99056.Nov 26 2021, 4:02 PM

kp accepted this revision.Nov 27 2021, 4:40 PM

This revision is now accepted and ready to land.Nov 27 2021, 4:40 PM

Closed by commit rGd5ea04ee7ba6: dummynet: Avoid an out-of-bounds read in do_config() (authored by markj). · Explain WhyNov 29 2021, 6:58 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rGd5ea04ee7ba6: dummynet: Avoid an out-of-bounds read in do_config().

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfw/

4 lines

Diff 99056

sys/netpfil/ipfw/ip_dummynet.c

Loading...