From f677cfb0ca9596d3f2173bb8e47b601bf3dcd57f Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 2 Apr 2015 19:52:54 +0200
Subject: [PATCH 023/257] ggated recv_thread(): Reject request with more than
 MAXPHYS bytes of data

.. to limit the amount of memory we (try to) allocate on behalf
of the client without knowing whether or not the client actually
intents to use it.

MAXPHYS is the hardcoded limit in ggatec so anything above it is
suspicious and could be a DoS attempt. This commit forces users who
like to tune MAXPHYS to make sure the value used by ggated is not
below the one used by ggatec. While not ideal, this seems preferable
to the DoS risk.

Obtained from: ElectroBSD
---
 sbin/ggate/ggated/ggated.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sbin/ggate/ggated/ggated.c b/sbin/ggate/ggated/ggated.c
index 6b53decdeb65..22810b0a00fd 100644
--- a/sbin/ggate/ggated/ggated.c
+++ b/sbin/ggate/ggated/ggated.c
@@ -671,6 +671,16 @@ recv_thread(void *arg)
 		}
 
 		/*
+		 * Limit the amount of memory we allocate on behalf of
+		 * the client. MAXPHYS is the hard limit in ggatec,
+		 * values above it are thus pretty suspicious.
+		 */
+		if (req->r_length > MAXPHYS) {
+			g_gate_xlog("Request length above MAXPHYS: %u > %u",
+			    (unsigned)req->r_length, MAXPHYS);
+		}
+
+		/*
 		 * Allocate memory for data.
 		 */
 		req->r_data = malloc_waitok(req->r_length);
-- 
2.11.0