diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -177,6 +177,10 @@
 	{	149,	"object size validation failed for kernel copyout" },
 	{	150,	"error copying data out for kernel copyout" },
 	{	151,	"version mismatch for kernel copyout" },
+	{	152,	"negative fr_ifnames" },
+	{	153,	"fr_name length incorrect"},
+	{	154,	"fr_namelength incorrect"},
+	{	155,	"fr_sifpidx is invalid"},
 /* -------------------------------------------------------------------------- */
 	{	10001,	"could not find token for auth iterator" },
 	{	10002,	"write permissions require to add/remove auth rule" },
@@ -228,8 +232,6 @@
 	{	30024,	"object size incorrect for hash table" },
 	{	30025,	"hash table size must be at least 1"},
 	{	30026,	"cannot allocate memory for hash table context" },
-	{	30027,	"hash table larger than maximum allowed" },
-	{	30028,	"hash table multiplication overflow" },
 /* -------------------------------------------------------------------------- */
 	{	40001,	"invalid minor device number for log read" },
 	{	40002,	"read size too small" },
diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -4408,7 +4408,9 @@
 	void *ptr, *uptr;
 	u_int *p, *pp;
 	frgroup_t *fg;
-	char *group;
+	char *group, *name;
+	size_t namelen;
+	int i;
 
 	ptr = NULL;
 	fg = NULL;
@@ -4720,6 +4722,17 @@
 			break;
 		}
 
+		if (fp->fr_namelen > LIFNAMSIZ) {
+			IPFERROR(154);
+			error = EINVAL;
+		}
+		if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) {
+			if (fp->fr_sifpidx < 0 ||  fp->fr_sifpidx > fp->fr_namelen) {
+				IPFERROR(155);
+				error = EINVAL;
+			}
+		}
+
 		switch (fp->fr_satype)
 		{
 		case FRI_BROADCAST :
@@ -4828,6 +4841,19 @@
 		}
 	}
 
+	for (i = 0; i < FR_NUM(fp->fr_ifnames); i++) {
+		if (fp->fr_ifnames[i] < 0) {
+			IPFERROR(152);
+			error = EINVAL;
+		}
+		name = FR_NAME(fp, fr_ifnames[i]);
+		namelen = strnlen(name, LIFNAMSIZ + 1);
+		if (namelen > fp->fr_namelen) {
+			IPFERROR(153);
+			error = EINVAL;
+		}
+	}
+
 	/*
 	 * Lookup all the interface names that are part of the rule.
 	 */