upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-11 01:30:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

cap_net: do not allow new limits to drop keys from the old ones

Browse source 
If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.

Approved by:	so
Security:	FreeBSD-SA-26:24.cap_net
Security:	CVE-2026-45254
Reported by:	Joshua Rogers of AISLE Research Team
Reviewed by:	markj
MFC after:	1 day
Differential Revision:	https://reviews.freebsd.org/D56991

(cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
(cherry picked from commit b79faca1c5964d89c125d02de35928b733041f3f)
This commit is contained in:
Mariusz Zaborski 2026-05-12 10:33:41 +02:00 committed by Franco Fichtner
parent 7efe37333e
commit 60f8236dd2
1 changed files with 31 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
lib/libcasper/services/cap_net/cap_net.c
View file

@ -1099,12 +1099,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout)
return (0);
}
/*
* If the old sublimit restricted a subkey, the new one must too;
* a missing subkey means "allow any" at request time.
*/
static bool
verify_subkeys_present(const nvlist_t *oldfunclimits,
const nvlist_t *newfunclimit)
{
void *cookie;
const char *name;
if (oldfunclimits == NULL)
return (true);
cookie = NULL;
while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) {
if (!nvlist_exists(newfunclimit, name))
return (false);
}
return (true);
}
static bool
verify_only_sa_newlimts(const nvlist_t *oldfunclimits,
const nvlist_t *newfunclimit)
{
void *cookie;
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
return (false);
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
void *sacookie;
@ -1177,6 +1202,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits,
LIMIT_NV_ADDR2NAME, NULL);
}
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
return (false);
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) {
@ -1235,6 +1263,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits,
LIMIT_NV_NAME2ADDR, NULL);
}
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
return (false);
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
if (strcmp(cnvlist_name(cookie), "hosts") == 0) {