Change Details

The indicies received from userland are userland controlled structures that are used to address variable length fields within the fr_names buffer. This is not a problem when ipf(8) creates passes these fields through to the kernel. However, any jailed root user may be able to with an application that calls the ioctl itself cause an OOB read. We mitigate this by validating the indicies received from userland. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 1 week

The indicies received from userland are userland controlled structures that are used to address variable length fields within the fr_names buffer. This is not a problem when ipf(8) creates passes these fields through to the kernel. However, any jailed root user may be able to with an application that calls the ioctl itself cause an OOB read. We mitigate this by validating the indicies received from userland. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 1 week

The indicies received from userland are userland controlled structures that are used to address variable length fields within the fr_names buffer. This is not a problem when ipf(8) creates passes these fields through to the kernel. However, any jailed root user may be able to with an application that calls the ioctl itself cause an OOB read. We mitigate this by validating the indicies received from userland. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 1 week