Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/external/bsd/ipf/netinet reduce stack usage in ipf_nat_i...



details:   https://anonhg.NetBSD.org/src/rev/8e9682aaa47e
branches:  trunk
changeset: 973242:8e9682aaa47e
user:      jdolecek <jdolecek%NetBSD.org@localhost>
date:      Wed Jun 24 21:54:57 2020 +0000

description:
reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

diffstat:

 sys/external/bsd/ipf/netinet/ip_nat.c |  37 +++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 12 deletions(-)

diffs (95 lines):

diff -r 65bd7cadb6fb -r 8e9682aaa47e sys/external/bsd/ipf/netinet/ip_nat.c
--- a/sys/external/bsd/ipf/netinet/ip_nat.c     Wed Jun 24 21:06:39 2020 +0000
+++ b/sys/external/bsd/ipf/netinet/ip_nat.c     Wed Jun 24 21:54:57 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_nat.c,v 1.21 2019/02/04 07:59:01 mrg Exp $  */
+/*     $NetBSD: ip_nat.c,v 1.22 2020/06/24 21:54:57 jdolecek Exp $     */
 
 /*
  * Copyright (C) 2012 by Darren Reed.
@@ -112,7 +112,7 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.21 2019/02/04 07:59:01 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.22 2020/06/24 21:54:57 jdolecek Exp $");
 #else
 static const char sccsid[] = "@(#)ip_nat.c     1.11 6/5/96 (C) 1995 Darren Reed";
 static const char rcsid[] = "@(#)Id: ip_nat.c,v 1.1.1.2 2012/07/22 13:45:27 darrenr Exp";
@@ -983,7 +983,7 @@
        ipf_nat_softc_t *softn = softc->ipf_nat_soft;
        int error = 0, ret, arg, getlock;
        ipnat_t *nat, *nt, *n;
-       ipnat_t natd;
+       ipnat_t *natd = NULL;
        SPL_INT(s);
 
 #if BSD_GE_YEAR(199306) && defined(_KERNEL)
@@ -1017,30 +1017,35 @@
 
        if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT) ||
            (cmd == (ioctlcmd_t)SIOCPURGENAT)) {
+               KMALLOC(natd, ipnat_t *);
+               if (natd == NULL) {
+                       error = ENOMEM;
+                       goto done;
+               }
                if (mode & NAT_SYSSPACE) {
-                       bcopy(data, (char *)&natd, sizeof(natd));
-                       nat = &natd;
+                       bcopy(data, natd, sizeof(*natd));
+                       nat = natd;
                        error = 0;
                } else {
-                       bzero(&natd, sizeof(natd));
-                       error = ipf_inobj(softc, data, NULL, &natd,
+                       bzero(natd, sizeof(*natd));
+                       error = ipf_inobj(softc, data, NULL, natd,
                                          IPFOBJ_IPNAT);
                        if (error != 0)
                                goto done;
 
-                       if (natd.in_size < sizeof(ipnat_t)) {
+                       if (natd->in_size < sizeof(ipnat_t)) {
                                error = EINVAL;
                                goto done;
                        }
-                       KMALLOCS(nt, ipnat_t *, natd.in_size);
+                       KMALLOCS(nt, ipnat_t *, natd->in_size);
                        if (nt == NULL) {
                                IPFERROR(60070);
                                error = ENOMEM;
                                goto done;
                        }
-                       bzero(nt, natd.in_size);
+                       bzero(nt, natd->in_size);
                        error = ipf_inobjsz(softc, data, nt, IPFOBJ_IPNAT,
-                                           natd.in_size);
+                                           natd->in_size);
                        if (error)
                                goto done;
                        nat = nt;
@@ -1132,7 +1137,13 @@
                        IPFERROR(60006);
                        error = EPERM;
                } else if (n != NULL) {
-                       natd.in_flineno = n->in_flineno;
+                       KMALLOC(natd, ipnat_t *);
+                       if (natd == NULL) {
+                               error = ENOMEM;
+                               goto done;
+                       }
+                       bzero(natd, sizeof(*natd));
+                       natd->in_flineno = n->in_flineno;
                        (void) ipf_outobj(softc, data, &natd, IPFOBJ_IPNAT);
                        IPFERROR(60007);
                        error = EEXIST;
@@ -1392,6 +1403,8 @@
 done:
        if (nat != NULL)
                ipf_nat_rule_fini(softc, nat);
+       if (natd != NULL)
+               KFREE(natd);
        if (nt != NULL)
                KFREES(nt, nt->in_size);
        return error;



Home | Main Index | Thread Index | Old Index