diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-12-16 17:11:24 +0100 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2025-12-16 17:12:36 +0100 |
| commit | a34c50fbd2a52bb63acde82e5aec4cb57880e39b (patch) | |
| tree | a735865ce2bbb759608fdfb1516f3ada2d2f1323 /sbin | |
| parent | 2619d439fa860db734dbbf4b153c5ac9b15c7e49 (diff) | |
ipfilter: Prevent stack buffer overflow
When copying ipfs data from user space, don't just check that the payload
length is nonzero, but also that it does not exceed the size of the stack
buffer we're copying it into.
While we're at it, use a union to create a buffer of the exact size we
need instead of guessing that 2048 will be enough (and not too much).
Finally, check the size of the payload once it gets to where it's used.
MFC after: 3 days
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D54194
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipf/libipf/interror.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c index 2bbecaa154e6..a7e6f4a5e431 100644 --- a/sbin/ipf/libipf/interror.c +++ b/sbin/ipf/libipf/interror.c @@ -483,6 +483,11 @@ log" }, { 110019, "sync update could not find NAT entry" }, { 110020, "unrecognised sync NAT command" }, { 110021, "ioctls are not handled with sync" }, + /* missing entries 110022-110024 */ + { 110025, "invalid payload length (sync create state)" }, + { 110026, "invalid payload length (sync update state)" }, + { 110027, "invalid payload length (sync create NAT)" }, + { 110028, "invalid payload length (sync update NAT)" }, /* -------------------------------------------------------------------------- */ { 120001, "null data pointer for iterator" }, { 120002, "unit outside of acceptable range" }, |