Differential D53286

ipfilter: Don't trust userland supplied iph_size
ClosedPublic
Actions

Authored by cy on Oct 22 2025, 11:35 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Nov 8 2025, 2:50 AM

	Unknown Object (File)
	Nov 6 2025, 9:49 PM

	Unknown Object (File)
	Nov 4 2025, 5:38 PM

	Unknown Object (File)
	Nov 3 2025, 4:23 PM

	Unknown Object (File)
	Oct 31 2025, 1:07 AM

	Unknown Object (File)
	Oct 31 2025, 12:17 AM

	Unknown Object (File)
	Oct 27 2025, 3:58 AM

	Unknown Object (File)
	Oct 26 2025, 10:48 PM

View All 22 Files

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Commits

rGdbe0b2c986cb: ipfilter: Don't trust userland supplied iph_size
rG794a904b454b: ipfilter: Don't trust userland supplied iph_size
rG4fa6c0b831ba: ipfilter: Don't trust userland supplied iph_size
rGdf381bec2d2b: ipfilter: Don't trust userland supplied iph_size

Summary

ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
without checking for integer overflow. A sufficiently large iph_size
causes the multiplication to wrap, resulting in an under-sized allocation
for the table pointer array. Subsequent code (e.g., in ipf_htent_insert())
can then write past the end of the allocated buffer, corrupting kernel
memory and causing DoS or potential privilege escalation.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

cy created this revision.Oct 22 2025, 11:35 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptOct 22 2025, 11:35 PM

cy requested review of this revision.Oct 22 2025, 11:35 PM

Harbormaster completed remote builds in B68026: Diff 164824.Oct 22 2025, 11:35 PM

markj accepted this revision.Oct 24 2025, 12:56 PM

markj added inline comments.

sys/netpfil/ipfilter/netinet/ip_htable.c
367	Should we clamp the size to the maximum instead?

This revision is now accepted and ready to land.Oct 24 2025, 12:56 PM

cy marked an inline comment as done.Oct 24 2025, 11:34 PM

cy added inline comments.

sys/netpfil/ipfilter/netinet/ip_htable.c
367	Yes. To softh->ipf_htable_size_max. You're right the last test is extraneous. But this patch is missing a part yet to be submitted.

Fix the last of the issues Ilja Van Sprundel had identified in his
email regarding ip_htable.c.

Also address and fix a question by markj@.

This revision now requires review to proceed.Oct 24 2025, 11:39 PM

Harbormaster completed remote builds in B68112: Diff 165019.Oct 24 2025, 11:39 PM

I really should have tested this before submitting the updated diff. I will test it now.

This review is still active.

markj added inline comments.Oct 28 2025, 11:15 PM

sys/netpfil/ipfilter/netinet/ip_htable.c
369
374	I don't see why this cast is needed? iph_size is already a size_t.

Removal of two size_t casts.

Harbormaster completed remote builds in B68281: Diff 165450.Oct 30 2025, 2:24 PM

markj accepted this revision.Oct 31 2025, 1:15 AM

This revision is now accepted and ready to land.Oct 31 2025, 1:15 AM

Closed by commit rGdf381bec2d2b: ipfilter: Don't trust userland supplied iph_size (authored by cy). · Explain WhyNov 5 2025, 3:35 PM

This revision was automatically updated to reflect the committed changes.

cy added a commit: rGdf381bec2d2b: ipfilter: Don't trust userland supplied iph_size.

cy added a commit: rG4fa6c0b831ba: ipfilter: Don't trust userland supplied iph_size.Nov 14 2025, 4:10 AM

cy added a commit: rG794a904b454b: ipfilter: Don't trust userland supplied iph_size.

cy added a commit: rGdbe0b2c986cb: ipfilter: Don't trust userland supplied iph_size.

Revision Contents
Changeset List

Path

Size

sbin/

ipf/

libipf/

2 lines

sys/

netpfil/

ipfilter/

netinet/

9 lines

Diff 165878

sbin/ipf/libipf/interror.c

Loading...

sys/netpfil/ipfilter/netinet/ip_htable.c

Loading...