From nobody Mon Jan  5 20:00:31 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlQC42ZGCz6MyQy
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Mon, 05 Jan 2026 20:00:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dlQC36ldyz3CRY
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 05 Jan 2026 20:00:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1767643232;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=abov/BaqP0F+hgIt9fLpn3tLrh1WzINl5FIuWSqh3uQ=;
	b=p866S5OIK/7HZQBMwRxLQZFI/GOEVnXjvuEKeImotixHp1BiSs2yCjCOmxClfmyPi8g+p7
	/HS5rVhXVPeiAMzBXoD5KHAQrEuSYq/87Ny/yEVALfa7/rspdtHaTaxMtYAxJb4W6csHW9
	aFX/s9EjaG4V2+S9zfy9h76oCfrLi+cyuYHuz5RnWjLPQSZM3rSSGCJgFYQTrbHRa/8dyW
	ydrIKCbjvyiMEFcRVWZNFnirz8cw+aIyo9E4DJfu8RcbJakvrBZpnbS9+ZunFmF/FNRB6y
	1wEM6COhlIXbyEXkbVlL7aWms7P0cTFEmdDEwcKK5wagxn/KSFxT0EtZg92uYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1767643232;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=abov/BaqP0F+hgIt9fLpn3tLrh1WzINl5FIuWSqh3uQ=;
	b=QVdPyuxikGZchuHiisnXCYQwlxZsp/6StgBFhpHclCeVqCdcO6Tybz9W7YOobENLwHbmyb
	t3EFlfp3vEd+QdficP7RG2/m+mngAnIX6Yos/3tX7kPI9ew8gMElVvvX0KPyoxQBIBGb9N
	FBU2yzSYpr22DVjbLlb4tItaV9iyopK2f5Ak5NKRvbyXfXuhhi6DKw8yqiBG/8oNdznJjj
	WDYt6/PQu1OijD45NchCU6k4hU2VcU3YU0aco5b2YmFLy8k3JDZfmhLwCVjhz4qxRv8qd7
	TcozSlaXbE3N6H5faOZesddsn3M/Sv1Czjov2ju4O8F3H5rABB3FVbw7Ta0L6A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767643232; a=rsa-sha256; cv=none;
	b=l1TpO+eXYtpmrV7rwmDAqnzPtbVWeGYkNtP6tQsE/wM1RtYGIOj9S/9cF15WJcrhHTwEe3
	CdSrxb5HK4u/ukvqUrSNtwLZ1cggVlklO96CAQa09+tRme0JahL+REvrU2YblAMl1FkWkH
	GF4sBhSPxmNt+VWOdN6Ywur6LCgNtKv8zkrOg9HxMp8iV04SWsQcifYL2E5OO4Um6gr9YZ
	m/YsmbjBnEmUkn9G6KXYfQnpgvz6BKK3cw2HwJWVhZ6kjKeItU+wQd6M8mpVxncb5BKmS0
	9fhkIXWESHF5c45wSpPItj/TdmIzCEXsPkS2DEqFPhnIpzXHQu7meWrXJh2CMA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dlQC36J9PzbDV
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 05 Jan 2026 20:00:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3eeb1
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 05 Jan 2026 20:00:31 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 43bd2534b7d5 - stable/15 - ipfilter: Verify ipnat on entry into kernel
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 43bd2534b7d552e63129004f32fc1f112855431f
Auto-Submitted: auto-generated
Date: Mon, 05 Jan 2026 20:00:31 +0000
Message-Id: <695c185f.3eeb1.1b45cad9@gitrepo.freebsd.org>

The branch stable/15 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=43bd2534b7d552e63129004f32fc1f112855431f

commit 43bd2534b7d552e63129004f32fc1f112855431f
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-11-03 04:59:15 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-01-05 20:00:00 +0000

    ipfilter: Verify ipnat on entry into kernel
    
    The ipnat struct is built by ipnat(8), specifically ipnat_y.y when
    parsing the ipnat configuration file (typically ipnat.conf). ipnat
    contains a variable length string field at the end of the struct. This
    data field, called in_names, may contain various text strings such as
    NIC names. There is no upper bound limit to the length of strings as
    long as the in_namelen length field specifies the length of in_names
    within the ipnat structure and in_size specifies the size of the ipnat
    structure itself.
    
    Reported by:            Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:            markj
    MFC after:              1 week
    Differential revision:  https://reviews.freebsd.org/D53843
    
    (cherry picked from commit 821774dfbdaa12ef072ff7eaea8f9966a7e63935)
---
 sbin/ipf/libipf/interror.c            |  6 +++++
 sys/netpfil/ipfilter/netinet/ip_nat.c | 42 ++++++++++++++++++++++++++++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
index b529c4b95262..7634753967e6 100644
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -363,6 +363,12 @@ log" },
 	{	60074,	"unknown next address type (ipv6)" },
 	{	60075,	"one object at a time must be copied" },
 	{	60076,	"NAT ioctl denied in jail without VNET" },
+	{	60077,	"in_names offset is wrapped negative" },
+	{	60078,	"in_names larger than in_namelen" },
+	{	60079,	"ipnat larger than in_size" },
+	{	60080,	"ipnat and in_namelen mismatch in_size" },
+	{	60081,	"ip_names runs off the end of ipnat" },
+	{	60082,	"in_namelen too large" },
 /* -------------------------------------------------------------------------- */
 	{	70001,	"incorrect object size to get pool stats" },
 	{	70002,	"could not malloc memory for new pool node" },
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index 53c180cdfbca..44ab7e9283de 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -974,9 +974,13 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 	int mode, int uid, void *ctx)
 {
 	ipf_nat_softc_t *softn = softc->ipf_nat_soft;
-	int error = 0, ret, arg, getlock;
+	int error = 0, ret, arg, getlock, interr, i;
+	int interr_tbl[3] = { 60077, 60081, 60078 };
 	ipnat_t *nat, *nt, *n;
 	ipnat_t natd;
+	char *name;
+	size_t v_in_size, v_element_size;
+	int v_rem_namelen, v_in_toend;
 	SPL_INT(s);
 
 #if !SOLARIS && defined(_KERNEL)
@@ -1027,6 +1031,16 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 				error = EINVAL;
 				goto done;
 			}
+			if (sizeof(natd) + natd.in_namelen != natd.in_size) {
+				IPFERROR(60080);
+				error = EINVAL;
+				goto done;
+			}
+			if (natd.in_namelen < 0 || natd.in_namelen > softc->ipf_max_namelen) {
+				IPFERROR(60082);
+				error = EINVAL;
+				goto done;
+			}
 			KMALLOCS(nt, ipnat_t *, natd.in_size);
 			if (nt == NULL) {
 				IPFERROR(60070);
@@ -1041,6 +1055,32 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 			nat = nt;
 		}
 
+		/*
+		 * Validate the incoming ipnat_t.
+		 */
+		if ((interr = ipf_check_names_string(nat->in_names, nat->in_namelen, nat->in_ifnames[0])) != 0) {
+			IPFERROR(interr_tbl[interr-1]);
+			error = EINVAL;
+			goto done;
+		}
+		if (nat->in_ifnames[0] != nat->in_ifnames[1]) {
+			if ((interr = ipf_check_names_string(nat->in_names, nat->in_namelen, nat->in_ifnames[1])) != 0) {
+				IPFERROR(interr_tbl[interr-1]);
+				error = EINVAL;
+				goto done;
+			}
+		}
+		if ((interr = ipf_check_names_string(nat->in_names, nat->in_namelen, nat->in_plabel)) != 0) {
+			IPFERROR(interr_tbl[interr-1]);
+			error = EINVAL;
+			goto done;
+		}
+		if ((interr = ipf_check_names_string(nat->in_names, nat->in_namelen, nat->in_pconfig)) != 0) {
+			IPFERROR(interr_tbl[interr-1]);
+			error = EINVAL;
+			goto done;
+		}
+
 		/*
 		 * For add/delete, look to see if the NAT entry is
 		 * already present