ipfilter: Make sure fr_sifpidx does not point outside of fr_names
AbandonedPublic
Actions

Authored by cy on Oct 22 2025, 11:30 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Tue, Nov 18, 3:42 AM

	Unknown Object (File)
	Wed, Nov 12, 10:17 PM

	Unknown Object (File)
	Nov 1 2025, 2:42 AM

	Unknown Object (File)
	Oct 31 2025, 11:18 PM

	Unknown Object (File)
	Oct 26 2025, 10:40 AM

	Unknown Object (File)
	Oct 26 2025, 10:40 AM

	Unknown Object (File)
	Oct 26 2025, 10:37 AM

	Unknown Object (File)
	Oct 26 2025, 10:21 AM

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Summary

This can result in an OOB read; passed to ipf_resolvenic() and other
code.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 68017
Build 64900: arc lint + arc unit

Event Timeline

cy created this revision.Oct 22 2025, 11:30 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptOct 22 2025, 11:30 PM

cy requested review of this revision.Oct 22 2025, 11:30 PM

Harbormaster completed remote builds in B68017: Diff 164815.Oct 22 2025, 11:30 PM

After testing this patch, it needs more work.

Move the test to frrequest() (on input).

Harbormaster completed remote builds in B68155: Diff 165179.Oct 28 2025, 3:24 AM

It makes no sense to do this test in isolation. This test and D53276 require fp->fr_namelen not to exceed LIFNAMSIZ. The entire issue will be fixed by D53276 instead of splitting the fix into two.

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfilter/

netinet/

fil.c

4 lines

Diff 164815

View Options

sys/netpfil/ipfilter/netinet/fil.c

ipfilter: Make sure fr_sifpidx does not point outside of fr_namesAbandonedPublicActions