[src/trunk]: src/sys/net/npf Add NPF_MAX_RULES, an artificial limit (set it t...

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d80d6dd76d59
branches:  trunk
changeset: 790945:d80d6dd76d59
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sun Oct 27 16:22:08 2013 +0000

description:
Add NPF_MAX_RULES, an artificial limit (set it to 1M).

diffstat:

 sys/net/npf/npf_ctl.c  |  12 ++++++++----
 sys/net/npf/npf_impl.h |   4 +++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diffs (59 lines):

diff -r a9d53392b1b8 -r d80d6dd76d59 sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c     Sun Oct 27 16:19:33 2013 +0000
+++ b/sys/net/npf/npf_ctl.c     Sun Oct 27 16:22:08 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_ctl.c,v 1.29 2013/09/19 01:49:07 rmind Exp $       */
+/*     $NetBSD: npf_ctl.c,v 1.30 2013/10/27 16:22:08 rmind Exp $       */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.29 2013/09/19 01:49:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.30 2013/10/27 16:22:08 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/conf.h>
@@ -467,7 +467,9 @@
 
        /* NAT policies. */
        natlist = prop_dictionary_get(npf_dict, "translation");
-       nitems = prop_array_count(natlist);
+       if ((nitems = prop_array_count(natlist)) > NPF_MAX_RULES) {
+               goto fail;
+       }
 
        nset = npf_ruleset_create(nitems);
        error = npf_mk_natlist(nset, natlist, errdict);
@@ -493,7 +495,9 @@
 
        /* Rules. */
        rules = prop_dictionary_get(npf_dict, "rules");
-       nitems = prop_array_count(rules);
+       if ((nitems = prop_array_count(rules)) > NPF_MAX_RULES) {
+               goto fail;
+       }
 
        rlset = npf_ruleset_create(nitems);
        error = npf_mk_rules(rlset, rules, rpset, errdict);
diff -r a9d53392b1b8 -r d80d6dd76d59 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h    Sun Oct 27 16:19:33 2013 +0000
+++ b/sys/net/npf/npf_impl.h    Sun Oct 27 16:22:08 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_impl.h,v 1.33 2013/09/19 01:49:07 rmind Exp $      */
+/*     $NetBSD: npf_impl.h,v 1.34 2013/10/27 16:22:08 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -100,7 +100,9 @@
 typedef npf_session_t *(*npf_alg_sfunc_t)(npf_cache_t *, nbuf_t *, int);
 typedef void (*npf_workfunc_t)(void);
 
+/* Some artificial limits. */
 #define        NPF_TABLE_SLOTS         32
+#define        NPF_MAX_RULES           (1024 * 1024)
 
 /*
  * SESSION STATE STRUCTURES