Hi,

diff -u -10 -r1.186 pf_ioctl.c
--- pf_ioctl.c 27 Sep 2007 22:24:05 -0000 1.186
+++ pf_ioctl.c 27 Nov 2007 13:23:49 -0000
@@ -1955,20 +1955,21 @@
/*
* if this is for a queue, find the discipline and
* copy the necessary fields
*/
if (altq->qname[0] != 0) {
if ((altq->qid = pf_qname2qid(altq->qname)) == 0) {
error = EBUSY;
pool_put(&pf_altq_pl, altq);
break;
}
+ altq->altq_disc = NULL;
TAILQ_FOREACH(a, pf_altqs_inactive, entries) {
if (strncmp(a->ifname, altq->ifname,
IFNAMSIZ) == 0 && a->qname[0] == 0) {
altq->altq_disc = a->altq_disc;
break;
}
}
}

error = altq_add(altq);

Otherwise altq_add is called with the userland supplied value for
altq_disc and could be abused to modify arbitrary kernel memory - in very
limited ways, but still.

--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]