Date: Fri, 20 Feb 2026 02:24:18 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 53e1019c8494 - stable/14 - ipfilter: Fix possible overrun Message-ID: <6997c5d2.18f2f.3c1d30f6@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=53e1019c8494e560a4ea121ef9e0c4b3ff4ac016 commit 53e1019c8494e560a4ea121ef9e0c4b3ff4ac016 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2026-02-04 17:27:23 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-02-20 02:24:08 +0000 ipfilter: Fix possible overrun The destination buffer is FR_GROUPLEN (16 bytes) in length. When gname is created, the userspace utilities correctly use FR_GROUPLEN as the buffer length. The kernel should also limit its copy operation to FR_GROUPLEN bytes to avoid any user written code from exploiting this vulnerability. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> (cherry picked from commit e40817302ebdf89df2f3bcd679fb7f2a18c244dc) --- sys/netpfil/ipfilter/netinet/fil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index b2d84ce1fefc..cf21c68b7b46 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -3507,7 +3507,7 @@ ipf_group_add(ipf_main_softc_t *softc, char *group, void *head, u_32_t flags, fg->fg_head = head; fg->fg_start = NULL; fg->fg_next = *fgp; - bcopy(group, fg->fg_name, strlen(group) + 1); + bcopy(group, fg->fg_name, strnlen(group, FR_GROUPLEN) + 1); fg->fg_flags = gflags; fg->fg_ref = 1; fg->fg_set = &softc->ipf_groups[unit][set];home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6997c5d2.18f2f.3c1d30f6>