diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -451,6 +451,9 @@
 	{	100034,	"could not find timeout name" },
 	{	100035, "could not allocate new state table" },
 	{	100036, "could not allocate new state bucket length table" },
+	{	100037, "is_ifname is too long" },
+	{	100038, "is_tifs is too long" },
+	{	100039, "fr_dif (destination) is too long" },
 /* -------------------------------------------------------------------------- */
 	{	110001,	"sync write header magic number is incorrect" },
 	{	110002,	"sync write header protocol is incorrect" },
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -951,6 +951,13 @@
 
 		for (i = 0; i < FR_NUM(isn->is_ifname); i++) {
 			name = isn->is_ifname[i];
+			if (strnlen(name, MAX_IFNAME_LENGTH) == MAX_IFNAME_LENGTH) {
+				KFREE(isn);
+				MUTEX_DESTROY(&fr->fr_lock);
+				KFREE(fr);
+				IPFERROR(100037);
+				return (EINVAL);
+			}
 			isn->is_ifp[i] = ipf_resolvenic(softc, name,
 							isn->is_v);
 		}