From 58d7f9e61903e78a381912527dc9dacb6e7feddc Mon Sep 17 00:00:00 2001
From: Robert Mustacchi <rm@joyent.com>
Date: Wed, 18 Mar 2015 21:39:40 +0000
Subject: [PATCH] 5734 IPFGENITER needs to know when to hit the brakes Reviewed
 by: Jerry Jelinek <jerry.jelinek@joyent.com> Reviewed by: Dan McDonald
 <danmcd@omniti.com> Reviewed by: Richard Lowe <richlowe@richlowe.net>
 Approved by: Garrett D'Amore <garrett@damore.org>

---
 usr/src/uts/common/inet/ipf/ip_nat.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/usr/src/uts/common/inet/ipf/ip_nat.c b/usr/src/uts/common/inet/ipf/ip_nat.c
index a3c8ecef5e..b556d0983e 100644
--- a/usr/src/uts/common/inet/ipf/ip_nat.c
+++ b/usr/src/uts/common/inet/ipf/ip_nat.c
@@ -5533,7 +5533,16 @@ ipf_stack_t *ifs;
 		RWLOCK_EXIT(&ifs->ifs_ipf_nat);
 		return EINVAL;
 	}
- 
+
+	/*
+	 * Note, this loop is based on the number of items that a user
+	 * requested. The user can request any number, potentially far more than
+	 * the number of items that actually exist. If a user does that, we'll
+	 * break out of this by setting the value of count to 1 which terminates
+	 * the loop.  This should be fine from an ioctl perspective, because the
+	 * last entry that we insert will be the zero entry which terminates the
+	 * chain.
+	 */
 	dst = itp->igi_data;
 	for (count = itp->igi_nitems; count > 0; count--) {
 		/*
@@ -5594,6 +5603,7 @@ ipf_stack_t *ifs;
 				error = EFAULT;
 			if (t->ipt_data == NULL) {
 				ipf_freetoken(t, ifs);
+				count = 1;
 				break;
 			} else {
 				if (hm != NULL) {
@@ -5603,6 +5613,7 @@ ipf_stack_t *ifs;
 				}
 				if (nexthm->hm_next == NULL) {
 					ipf_freetoken(t, ifs);
+					count = 1;
 					break;
 				}
 				dst += sizeof(*nexthm);
@@ -5617,6 +5628,7 @@ ipf_stack_t *ifs;
 				error = EFAULT;
 			if (t->ipt_data == NULL) {
 				ipf_freetoken(t, ifs);
+				count = 1;
 				break;
 			} else {
 				if (ipn != NULL) {
@@ -5626,6 +5638,7 @@ ipf_stack_t *ifs;
 				}
 				if (nextipnat->in_next == NULL) {
 					ipf_freetoken(t, ifs);
+					count = 1;
 					break;
 				}
 				dst += sizeof(*nextipnat);
@@ -5640,12 +5653,14 @@ ipf_stack_t *ifs;
 				error = EFAULT;
 			if (t->ipt_data == NULL) {
 				ipf_freetoken(t, ifs);
+				count = 1;
 				break;
 			} else {
 				if (nat != NULL)
 					fr_natderef(&nat, ifs);
 				if (nextnat->nat_next == NULL) {
 					ipf_freetoken(t, ifs);
+					count = 1;
 					break;
 				}
 				dst += sizeof(*nextnat);
-- 
2.11.4.GIT