diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -938,10 +938,12 @@
 		 * Look up all the interface names in the rule.
 		 */
 		for (i = 0; i < FR_NUM(fr->fr_ifnames); i++) {
-			if (fr->fr_ifnames[i] == -1) {
+			if (fr->fr_ifnames[i] < 0) {
 				fr->fr_ifas[i] = NULL;
 				continue;
 			}
+			if (strnlen(fr->fr_ifnames[i], MAX_IFNAME_LENGTH) > fr->fr_namelen && fr->fr_namelen >= MAX_IFNAME_LENGTH)
+				continue;
 			name = FR_NAME(fr, fr_ifnames[i]);
 			fr->fr_ifas[i] = ipf_resolvenic(softc, name,
 							fr->fr_family);