pf_get_sport(): Prevent possible endless loop when searching for an unused nat port

This is an import of Alexander Bluhm's OpenBSD commit r1.60, the first chunk had to be modified because on OpenBSD the 'cut' declaration is located elsewhere. Upstream report by Jingmin Zhou: https://marc.info/?l=openbsd-pf&m=150020133510896&w=2 OpenBSD commit message: Use a 32 bit variable to detect integer overflow when searching for an unused nat port. Prevents a possible endless loop if high port is 65535 or low port is 0. report and analysis Jingmin Zhou; OK sashan@ visa@ Quoted from: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_lb.c PR: 221201 Submitted by: Fabian Keil <fk@fabiankeil.de> Obtained from: OpenBSD via ElectroBSD MFC after: 1 week
svn path=/head/; revision=322280
2024-10-19 02:29:40 +00:00 · 2017-08-08 21:09:26 +00:00 · 2017-08-08 21:09:26 +00:00 · 7f3ad01804 · 2020-12-20 02:59:44 +00:00
commit 7f3ad01804
parent 5b896b567d
1 changed files with 5 additions and 3 deletions
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@ -259,7 +259,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
 				return (0);
 			}
 		} else {
-			uint16_t tmp, cut;
+			uint32_t tmp;
+			uint16_t cut;

 			if (low > high) {
 				tmp = low;
@ -269,7 +270,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
 			/* low < high */
 			cut = arc4random() % (1 + high - low) + low;
 			/* low <= cut <= high */
-			for (tmp = cut; tmp <= high; ++(tmp)) {
+			for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) {
 				key.port[1] = htons(tmp);
 				if (pf_find_state_all(&key, PF_IN, NULL) ==
 				    NULL) {
@ -277,7 +278,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
 					return (0);
 				}
 			}
-			for (tmp = cut - 1; tmp >= low; --(tmp)) {
+			tmp = cut;
+			for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) {
 				key.port[1] = htons(tmp);
 				if (pf_find_state_all(&key, PF_IN, NULL) ==
 				    NULL) {