From nobody Tue Feb 17 02:22:22 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fFNhH57DVz6Skn7 for ; Tue, 17 Feb 2026 02:22:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fFNhG2pQCz3ftl for ; Tue, 17 Feb 2026 02:22:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771294942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VVRT2mrQhkCyVGdXPr+JYvT0GTKrghKAN5qyXpFmop8=; b=OEYyVRJ2jciyuOlugbSQ6UcCn6jOA5gSQYo/9bTQ2/JVVbewSBM1aOiZxksbpIIsCTVz6l dO3MbZsl4IeY7EAUO7zqdUqG87euSrZE0fnhatFdpQ74/UlNwfl/rgOPHlIUb6jDywW0/P VHN9J/H7rALV2Eypw4y4B6MEstqDjxkLXMc5FfSrWrN05KPX3gnliFGftauoXOd3jG/gLN hEXkrmy/TEkNBRBYBI4rRmav23rEqAJhinDMn12TvUQtcDHmP7sucL0G5riii00/ISteFL jBZ+ROanTzaHXuRDZYdxnBDpveaGds2Wqtz0oB3GSVBkm/2Q2/D+IXkiaRs5ew== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771294942; a=rsa-sha256; cv=none; b=BzzE0KR5wbT810UQzMp6KAkLPx1wFN76airSbHz9NUpjOIm2lqCa5sC1zovnefLrWiakH3 /svSiocDpoFmyG699nSjE6ITjsITrVx207DCNnhnRyoaMuQDUqt4B8XrSWVxG+2e4174qu +1dFRXdeOXfzSXPQ2ebJc+jkgFbUvBNu6IT0+a+xlJVrdrwbT9xP/9dDK0VFPJiIWCXG6V Ws3+0nBlPrcsZUrVUTSIMPhQoH+dM/ExT/A3rx89fMX+ATAf3OPtURfR+a72acOK5Zb2LT pPhYtC+q0AG84qyh+Ub2PgITdbFhIoTxx2WQbDKpIlYNbNa3wJWBBuUMARoABw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771294942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VVRT2mrQhkCyVGdXPr+JYvT0GTKrghKAN5qyXpFmop8=; b=JZgygpdYwrS0ta3L4Adw0tyS2s4viNdfCNi77FLp4ExGLlrAyJzWN22i7sd17bKxDqIZTW q5EDXIkFUlkKgrAGfA6oITH+Hzuw0pPmFeESff8VlefT/8s+1oZ8JmvEEqeskczHlN9Smm mU6m3sg/T0x7lyzAiUKJODiJHI/Cdlk+flOeA+je5ppH2Ab+MPTTmrib7Dw/WWgpI9PbN7 j3LziU7igX37vpNBcr8B0zNgWLn8dQpFhU2mUosl2p6UOlNNY+pygL74/Cc1sMODKcfXuM 6wd9vR/iU8wFLweleWY8lPhMrL0WzbVntbMwQps+VCYbU/24Nf8d9avScFLaAQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fFNhG2Fz2zqxJ for ; Tue, 17 Feb 2026 02:22:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1a317 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 17 Feb 2026 02:22:22 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 3fdbd8a07a2d - main - ipfilter: Avoid negative array indicies List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3fdbd8a07a2dcb8fe3cec19fc59ef064453e4755 Auto-Submitted: auto-generated Date: Tue, 17 Feb 2026 02:22:22 +0000 Message-Id: <6993d0de.1a317.43855e24@gitrepo.freebsd.org> The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=3fdbd8a07a2dcb8fe3cec19fc59ef064453e4755 commit 3fdbd8a07a2dcb8fe3cec19fc59ef064453e4755 Author: Cy Schubert AuthorDate: 2026-02-11 19:30:38 +0000 Commit: Cy Schubert CommitDate: 2026-02-17 02:21:59 +0000 ipfilter: Avoid negative array indicies Array indices must always be posive. We avoid this by making each index unsigned. This mitigates out-of-bounds reads and writes. Reported by: Ilja Van Sprundel Reviewed by: glebius MFC after: 3 days Differential revision: https://reviews.freebsd.org/D55260 --- sys/netpfil/ipfilter/netinet/fil.c | 4 ++-- sys/netpfil/ipfilter/netinet/ip_fil.h | 2 +- sys/netpfil/ipfilter/netinet/ip_state.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 657097ca7b85..9217572aac50 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -8530,7 +8530,7 @@ ipf_matcharray_load(ipf_main_softc_t *softc, caddr_t data, ipfobj_t *objp, int ipf_matcharray_verify(int *array, int arraysize) { - int i, nelem, maxidx; + u_int i, nelem, maxidx; ipfexp_t *e; nelem = arraysize / sizeof(*array); @@ -8591,7 +8591,7 @@ ipf_matcharray_verify(int *array, int arraysize) static int ipf_fr_matcharray(fr_info_t *fin, int *array) { - int i, n, *x, rv, p; + u_int i, n, *x, rv, p; ipfexp_t *e; rv = 0; diff --git a/sys/netpfil/ipfilter/netinet/ip_fil.h b/sys/netpfil/ipfilter/netinet/ip_fil.h index 81ad50373fe9..dbfc045a8646 100644 --- a/sys/netpfil/ipfilter/netinet/ip_fil.h +++ b/sys/netpfil/ipfilter/netinet/ip_fil.h @@ -1473,7 +1473,7 @@ typedef struct ipfexp { int ipfe_cmd; int ipfe_not; int ipfe_narg; - int ipfe_size; + u_int ipfe_size; int ipfe_arg0[1]; } ipfexp_t; diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c index 8a21e7593995..c8d6e4e0feb3 100644 --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -4910,7 +4910,7 @@ ipf_state_matchflush(ipf_main_softc_t *softc, caddr_t data) static int ipf_state_matcharray(ipstate_t *state, int *array, u_long ticks) { - int i, n, *x, rv, p; + u_int i, n, *x, rv, p; ipfexp_t *e; rv = 0;