Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Feb 2026 02:22:22 +0000
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 3fdbd8a07a2d - main - ipfilter: Avoid negative array indicies
Message-ID:  <6993d0de.1a317.43855e24@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=3fdbd8a07a2dcb8fe3cec19fc59ef064453e4755

commit 3fdbd8a07a2dcb8fe3cec19fc59ef064453e4755
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2026-02-11 19:30:38 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-02-17 02:21:59 +0000

    ipfilter: Avoid negative array indicies
    
    Array indices must always be posive. We avoid this by making each index
    unsigned. This mitigates out-of-bounds reads and writes.
    
    Reported by:            Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:            glebius
    MFC after:              3 days
    Differential revision:  https://reviews.freebsd.org/D55260
---
 sys/netpfil/ipfilter/netinet/fil.c      | 4 ++--
 sys/netpfil/ipfilter/netinet/ip_fil.h   | 2 +-
 sys/netpfil/ipfilter/netinet/ip_state.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
index 657097ca7b85..9217572aac50 100644
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -8530,7 +8530,7 @@ ipf_matcharray_load(ipf_main_softc_t *softc, caddr_t data, ipfobj_t *objp,
 int
 ipf_matcharray_verify(int *array, int arraysize)
 {
-	int i, nelem, maxidx;
+	u_int i, nelem, maxidx;
 	ipfexp_t *e;
 
 	nelem = arraysize / sizeof(*array);
@@ -8591,7 +8591,7 @@ ipf_matcharray_verify(int *array, int arraysize)
 static int
 ipf_fr_matcharray(fr_info_t *fin, int *array)
 {
-	int i, n, *x, rv, p;
+	u_int i, n, *x, rv, p;
 	ipfexp_t *e;
 
 	rv = 0;
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil.h b/sys/netpfil/ipfilter/netinet/ip_fil.h
index 81ad50373fe9..dbfc045a8646 100644
--- a/sys/netpfil/ipfilter/netinet/ip_fil.h
+++ b/sys/netpfil/ipfilter/netinet/ip_fil.h
@@ -1473,7 +1473,7 @@ typedef struct ipfexp {
 	int		ipfe_cmd;
 	int		ipfe_not;
 	int		ipfe_narg;
-	int		ipfe_size;
+	u_int		ipfe_size;
 	int		ipfe_arg0[1];
 } ipfexp_t;
 
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
index 8a21e7593995..c8d6e4e0feb3 100644
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -4910,7 +4910,7 @@ ipf_state_matchflush(ipf_main_softc_t *softc, caddr_t data)
 static int
 ipf_state_matcharray(ipstate_t *state, int *array, u_long ticks)
 {
-	int i, n, *x, rv, p;
+	u_int i, n, *x, rv, p;
 	ipfexp_t *e;
 
 	rv = 0;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6993d0de.1a317.43855e24>