FreeBSD/src 56a799b (r328277)sys/netpfil/pf pf_ioctl.c

MFC r327675

pf: Avoid integer overflow issues by using mallocarray() iso. malloc()

pfioctl() handles several ioctl that takes variable length input, these
include:
- DIOCRADDTABLES
- DIOCRDELTABLES
- DIOCRGETTABLES
- DIOCRGETTSTATS
- DIOCRCLRTSTATS
- DIOCRSETTFLAGS

All of them take a pfioc_table struct as input from userland. One of
its elements (pfrio_size) is used in a buffer length calculation.
The calculation contains an integer overflow which if triggered can lead
to out of bound reads and writes later on.

Reported by:    Ilja Van Sprundel <ivansprundel at ioactive.com>
DeltaFile
+108-18sys/netpfil/pf/pf_ioctl.c
+108-181 files

UnifiedSplitRaw