From nobody Fri Dec 19 18:06:00 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dXwSn2tDbz6M9Mx
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Fri, 19 Dec 2025 18:06:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dXwSm5TnLz44PS
	for <dev-commits-src-branches@FreeBSD.org>; Fri, 19 Dec 2025 18:06:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1766167560;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NZ1L2CMjsTk7Z4NHDniTeibTP8c9lo78HBwPEGfN/bs=;
	b=HcS/u2bY5PK0bqwbKboBbwTaxU3sBYYbjz7UmJ31aJaI3zSnTTU3uoXmgszd3oxEat10ZX
	J01io6DjsCvayTAzStRWwES7WflalPqrmzsoqoiy7xWSRSdJP5/aDDtwU5h8VzSsLei1dg
	ZR4oc5SC8MYIqG3WoR+EFxHzqNXjPTNg0RtfZ7MN74DnJEXGV+DFLchQ/F9ZcIom217vsR
	/Jo1CnnWfElwW0URhW0pcAw2bLUt7mgowgwjn/jFkME7J51afdsfBfllLi+5ErRJVF3ncs
	wvT9mNPvI5rfBqMam6nPOMbzNtkqnYZyvHfoQghBbeDk/TUuCZAGBO5MAD75jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1766167560;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NZ1L2CMjsTk7Z4NHDniTeibTP8c9lo78HBwPEGfN/bs=;
	b=GMCNb5Vq2yRkqdk4eseCHsTtofwGvDBAJOZATIwY3D7tj73+JNJzxDtXqXWAELcr/cR239
	7R7+T6XAS56x/FcyeRizk0TMq0/9QdNMcoWhfasgV8wdPmRO/uEhHXuItCXA5AAmG18gQp
	KOkEnYPZBa8oh3o9s6TT2R7Jd8SuLmf//Z3wbnQ6hxxgZx6ZOj4vQLc8TG6gHyDuaWPLeE
	7Qx4T74a22I2doewy+w4pR8Clut/UOub6jvMPr562bTXQX4wLQgjXg+MSWzse6d96RI6ev
	9dxvdPIza8/KhZ9+ASemU0AhX/4hGR5c1nfpgW2m7s9s0YVgEC2ZegE6en1hlQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1766167560; a=rsa-sha256; cv=none;
	b=A4cbPnFLs1gywO1xvv3Ui1CjZoEBLWJ/afkNae29joq6c5I4wzbMOGcitcN78XFlaMOW5I
	HWqU8gksGxSGqKysCZJT2QDq+PVlCs44aDxgKC4wo8JGOI1yaH5vRuaqGZhtKMfs8Ve11D
	pzyRrKy1PKcLKnop2frdGjp8L1WJjgVONafq7DsXRp9nGcCi5IgQf7G9Ma7cZEGQ54Sl/P
	Zi5fj1KWELxagvJoe4h+cg5lcsQNRbkFApBE5iSJYDVLIPIJqPjBTtvnivUPHBwKFy2hvo
	xxroxYSj+MXNrIygnvxmV7hBSRjIBWTmS3KIrK2RyDB23goScvQc1YXrT8NCKQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dXwSm0qr3z41j
	for <dev-commits-src-branches@FreeBSD.org>; Fri, 19 Dec 2025 18:06:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 23b3a
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 19 Dec 2025 18:06:00 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject: git: 594ed1aab6f5 - stable/15 - ipfilter: Prevent stack buffer overflow
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 594ed1aab6f5666cd891151737489f448c039849
Auto-Submitted: auto-generated
Date: Fri, 19 Dec 2025 18:06:00 +0000
Message-Id: <69459408.23b3a.3073b68c@gitrepo.freebsd.org>

The branch stable/15 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=594ed1aab6f5666cd891151737489f448c039849

commit 594ed1aab6f5666cd891151737489f448c039849
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-12-16 16:11:24 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-12-19 18:05:44 +0000

    ipfilter: Prevent stack buffer overflow
    
    When copying ipfs data from user space, don't just check that the payload
    length is nonzero, but also that it does not exceed the size of the stack
    buffer we're copying it into.
    
    While we're at it, use a union to create a buffer of the exact size we
    need instead of guessing that 2048 will be enough (and not too much).
    
    Finally, check the size of the payload once it gets to where it's used.
    
    MFC after:      3 days
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    cy
    Differential Revision:  https://reviews.freebsd.org/D54194
    
    (cherry picked from commit a34c50fbd2a52bb63acde82e5aec4cb57880e39b)
---
 sbin/ipf/libipf/interror.c             |  5 ++++
 sys/netpfil/ipfilter/netinet/ip_sync.c | 51 ++++++++++++++++++++++++----------
 2 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
index a8dc3be2d5d1..29923163212f 100644
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -472,6 +472,11 @@ log" },
 	{	110019,	"sync update could not find NAT entry" },
 	{	110020,	"unrecognised sync NAT command" },
 	{	110021,	"ioctls are not handled with sync" },
+	/* missing entries 110022-110024 */
+	{	110025,	"invalid payload length (sync create state)" },
+	{	110026,	"invalid payload length (sync update state)" },
+	{	110027,	"invalid payload length (sync create NAT)" },
+	{	110028,	"invalid payload length (sync update NAT)" },
 /* -------------------------------------------------------------------------- */
 	{	120001,	"null data pointer for iterator" },
 	{	120002,	"unit outside of acceptable range" },
diff --git a/sys/netpfil/ipfilter/netinet/ip_sync.c b/sys/netpfil/ipfilter/netinet/ip_sync.c
index f6bc7e7fbe2a..b0be68148a18 100644
--- a/sys/netpfil/ipfilter/netinet/ip_sync.c
+++ b/sys/netpfil/ipfilter/netinet/ip_sync.c
@@ -409,13 +409,16 @@ ipf_sync_write(ipf_main_softc_t *softc, struct uio *uio)
 {
 	ipf_sync_softc_t *softs = softc->ipf_sync_soft;
 	synchdr_t sh;
-
-	/*
-	 * THIS MUST BE SUFFICIENT LARGE TO STORE
-	 * ANY POSSIBLE DATA TYPE
-	 */
-	char data[2048];
-
+	union ipf_sync_data {
+		union ipf_sync_state_data {
+			ipstate_t create;
+			synctcp_update_t update;
+		} state;
+		union ipf_sync_nat_data {
+			nat_t create;
+			syncupdent_t update;
+		} nat;
+	} data;
 	int err = 0;
 
 #  if defined(__NetBSD__) || defined(__FreeBSD__)
@@ -494,18 +497,18 @@ ipf_sync_write(ipf_main_softc_t *softc, struct uio *uio)
 		 * needed for the request
 		 */
 
-		/* not supported */
-		if (sh.sm_len == 0) {
+		/* too short or too long */
+		if (sh.sm_len == 0 || sh.sm_len > sizeof(data)) {
 			if (softs->ipf_sync_debug > 2)
-				printf("uiomove(data zero length %s\n",
-					"not supported");
+				printf("uiomove(data) invalid length %d\n",
+					sh.sm_len);
 			IPFERROR(110006);
 			return (EINVAL);
 		}
 
 		if (uio->uio_resid >= sh.sm_len) {
 
-			err = UIOMOVE(data, sh.sm_len, UIO_WRITE, uio);
+			err = UIOMOVE(&data, sh.sm_len, UIO_WRITE, uio);
 
 			if (err) {
 				if (softs->ipf_sync_debug > 2)
@@ -519,9 +522,9 @@ ipf_sync_write(ipf_main_softc_t *softc, struct uio *uio)
 					sh.sm_len);
 
 			if (sh.sm_table == SMC_STATE)
-				err = ipf_sync_state(softc, &sh, data);
+				err = ipf_sync_state(softc, &sh, &data);
 			else if (sh.sm_table == SMC_NAT)
-				err = ipf_sync_nat(softc, &sh, data);
+				err = ipf_sync_nat(softc, &sh, &data);
 			if (softs->ipf_sync_debug > 7)
 				printf("[%d] Finished with error %d\n",
 					sh.sm_num, err);
@@ -651,6 +654,11 @@ ipf_sync_state(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 	{
 	case SMC_CREATE :
 
+		if (sp->sm_len != sizeof(sn)) {
+			IPFERROR(110025);
+			err = EINVAL;
+			break;
+		}
 		bcopy(data, &sn, sizeof(sn));
 		KMALLOC(is, ipstate_t *);
 		if (is == NULL) {
@@ -717,6 +725,11 @@ ipf_sync_state(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 		break;
 
 	case SMC_UPDATE :
+		if (sp->sm_len != sizeof(su)) {
+			IPFERROR(110026);
+			err = EINVAL;
+			break;
+		}
 		bcopy(data, &su, sizeof(su));
 
 		if (softs->ipf_sync_debug > 4)
@@ -892,6 +905,11 @@ ipf_sync_nat(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 			break;
 		}
 
+		if (sp->sm_len != sizeof(*nat)) {
+			IPFERROR(110027);
+			err = EINVAL;
+			break;
+		}
 		nat = (nat_t *)data;
 		bzero((char *)n, offsetof(nat_t, nat_age));
 		bcopy((char *)&nat->nat_age, (char *)&n->nat_age,
@@ -915,6 +933,11 @@ ipf_sync_nat(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 		break;
 
 	case SMC_UPDATE :
+		if (sp->sm_len != sizeof(su)) {
+			IPFERROR(110028);
+			err = EINVAL;
+			break;
+		}
 		bcopy(data, &su, sizeof(su));
 
 		for (sl = softs->syncnattab[hv]; (sl != NULL);