ipfilter: Prevent stack buffer overflow
ClosedPublic
Actions

Authored by des on Dec 12 2025, 4:25 PM.

Details

Reviewers

Group Reviewers

Commits

rG0c37e6e295fb: ipfilter: Prevent stack buffer overflow
rG1a67e18678f6: ipfilter: Prevent stack buffer overflow
rG594ed1aab6f5: ipfilter: Prevent stack buffer overflow
rGa34c50fbd2a5: ipfilter: Prevent stack buffer overflow

Summary

When copying ipfs data from user space, don't just check that the payload
length is nonzero, but also that it does not exceed the size of the stack
buffer we're copying it into.

While we're at it, use a union to create a buffer of the exact size we
need instead of guessing that 2048 will be enough (and not too much).

Finally, check the size of the payload once it gets to where it's used.

MFC after: 3 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

des created this revision.Dec 12 2025, 4:25 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptDec 12 2025, 4:25 PM

des requested review of this revision.Dec 12 2025, 4:25 PM

Harbormaster completed remote builds in B69208: Diff 167928.Dec 12 2025, 4:25 PM

Looks good to me.

This revision is now accepted and ready to land.Dec 16 2025, 3:48 PM

Closed by commit rGa34c50fbd2a5: ipfilter: Prevent stack buffer overflow (authored by des). · Explain WhyDec 16 2025, 4:13 PM

This revision was automatically updated to reflect the committed changes.

des added a commit: rGa34c50fbd2a5: ipfilter: Prevent stack buffer overflow.

des added a commit: rG594ed1aab6f5: ipfilter: Prevent stack buffer overflow.Dec 19 2025, 6:08 PM

des added a commit: rG1a67e18678f6: ipfilter: Prevent stack buffer overflow.

des added a commit: rG0c37e6e295fb: ipfilter: Prevent stack buffer overflow.

Revision Contents
Changeset List

Path

Size

sbin/

ipf/

libipf/

interror.c

5 lines

sys/

netpfil/

ipfilter/

netinet/

ip_sync.c

51 lines

Diff 168199

View Options

sbin/ipf/libipf/interror.c