ipf_state_putent() copies user-influenced state and rule objects and
then dereferences multiple unvalidated indices and strings to resolve
interfaces and destinations. Specifically:

1. fr->fr_ifnames[i] is used as an offset into the variable-length fr_names buffer without checking that it is non-negative and < fr_namelen. fr_namelen is not validated either, and also needs to be validated.
2. isn->is_ifname[i] is treated as a NUL-terminated string with no guarantee of termination.
3. Additional structures (fr->fr_tifs[0/1], fr->fr_dif) are consumed without validating embedded indices/lengths.

These issues enable out-of-bounds reads in the kernel, leading to panic/DoS and potential information disclosure.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day