Date: Thu, 25 Feb 2016 10:17:41 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Conrad Meyer <cem@FreeBSD.org> Cc: Adrian Chadd <adrian.chadd@gmail.com>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r296025 - head/sys/netpfil/pf Message-ID: <20160225091741.GF3003@vega.codepro.be> In-Reply-To: <CAG6CVpWwidL6S90fnThc7mXp9sj3PbJB6rvkBN=MmbvFS%2B_vtw@mail.gmail.com> References: <201602250733.u1P7Xxoh041746@repo.freebsd.org> <CAJ-Vmok_-SzGnUdYi%2BnnDYdGhcKXOUthC1nnPyxHrnWJCKA%2Bcw@mail.gmail.com> <CAG6CVpWwidL6S90fnThc7mXp9sj3PbJB6rvkBN=MmbvFS%2B_vtw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-02-24 23:47:55 (-0800), Conrad Meyer <cem@FreeBSD.org> wrote: > On Wed, Feb 24, 2016 at 11:41 PM, Adrian Chadd <adrian.chadd@gmail.com> wrote: > > .. what's capping totlen so one doesn't run out of memory? > > There was a DoS vector before (user controlled io->pfrio_size) and > basically the same DoS vector now (either of io->pfrio_size or > io->pfrio_size2). This change isn't a regression. Still, it should > be fixed. > It's an M_WAITOK allocation, so if the user asks for more memory than is available the thread will sleep. I'd assumed that if the user terminates the thread the sleep will wake, the allocation will fail and the ioctl() will return an error. Perhaps we should do what OpenBSD do, and not allocate the temporary buffer at all. They copy in/out the individual entries one by one. On the other hand, one could still exhaust memory by inserting large numbers of addresses in the table. I'm a little wary of adding arbitrary limits to the number of entries in a table, because this bug (and #192677) show that users do actually insert 100.000 addresses in a table. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160225091741.GF3003>