From nobody Fri Dec 19 18:07:11 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dXwV80C7Yz6M9DD
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Fri, 19 Dec 2025 18:07:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dXwV73z8dz466D
	for <dev-commits-src-all@FreeBSD.org>; Fri, 19 Dec 2025 18:07:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1766167631;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=g1K8YnI4lf5sFQmCcXXS9M6Eoh49aCzD3BLwvYhNqTs=;
	b=tqOch9SvXhdPZsRuBGNo483WQC8fWm5v8E8HgLl10WxubY0GGekTzfLVOTLCqUdScalAOl
	pUfnbv/C5mY0BeYgySWgqM2+q1V65PHwZzPtANynTFemiBeTku0S+zcgGXEgphiE0fdIlU
	cDMuJcVmxz4ExhPIPOUCVzp1WnxBURbogrqeFVGldGL6oyeWc1sCpfZgWkcjzJzZJ2WiyF
	forX+mA1ORVC9J6jFAbarP2R2phYDvz3Fbfnz6ipzJT81bvQX/Jmw50TvFeciA6lYFKCeo
	1nnXgoo1PN97rtNECtMg+qiylUF/8SHGd5atyl28yyvMVhYwOh+oo5PE0t0BWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1766167631;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=g1K8YnI4lf5sFQmCcXXS9M6Eoh49aCzD3BLwvYhNqTs=;
	b=aaoqXuE1yeEg0FA9iVweCvaBf5SYJSFFt3JwNW5RGHZkIU5Tlwd/uxZ2c+whzX1gemZU8T
	0FPu7vEKlxLuEk/LY9k7xHLtCHKFOqL68T3mV/1tk1n/jiGV6EZjSPqVIYMvXJBr9HUjdE
	2zSw0xg2dikwjX2pVZQTjSelwRbhsy1OTihEBeE4Bhopw/9gDMmBid9ufMljTNF9SpZhDu
	4gLaxd9UL9yRFRsjYUiXLD8Zt4p0yC581j65T7R0iD330WZskVzOpMKAWtGgeDEg2s1c9o
	LK5j27zFdgKlA9aQjhIAEAFvmyL74I0P8TZkIQB+vYuLSOBzl1WXzMgeRskj5g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1766167631; a=rsa-sha256; cv=none;
	b=MAm32fiPJk04nNoSgL/ru8WpI2Y964qiZhfyarja38gb9AH6RHUdyE/1nQdTh3sAyfRu2u
	s3bHYbOfDnQuPSXrwAj4WvF0n52xWgjbolIwfDdZkpDuBMyAeS1NJJ6b99+IlipxME2NfM
	I+Tv6W+Tss6fF5lkoTdgY3V1KH5kYXZCHNdcQ4Zp6J8fIuFph0oK8QHxWKuoE2lUjx5Y/R
	gxURmWbLGdMZ0FKbAXhU0fBovyysTKJb2ZMVcEzW8TvjFFtBt5bQ0FbOgcOIbq+zu5fQJU
	3s5aom9cTjNUcVJwR3Jeyo7qJRHZci8FpFR5DQ5iG3T+e3zXEKgrdwSDtUerDw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dXwV73N6Yz3wP
	for <dev-commits-src-all@FreeBSD.org>; Fri, 19 Dec 2025 18:07:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 235c4
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 19 Dec 2025 18:07:11 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject: git: 0c37e6e295fb - stable/13 - ipfilter: Prevent stack buffer overflow
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 0c37e6e295fb980b52b0fb865f4e01823759e8e8
Auto-Submitted: auto-generated
Date: Fri, 19 Dec 2025 18:07:11 +0000
Message-Id: <6945944f.235c4.5abb4403@gitrepo.freebsd.org>

The branch stable/13 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=0c37e6e295fb980b52b0fb865f4e01823759e8e8

commit 0c37e6e295fb980b52b0fb865f4e01823759e8e8
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-12-16 16:11:24 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-12-19 18:07:05 +0000

    ipfilter: Prevent stack buffer overflow
    
    When copying ipfs data from user space, don't just check that the payload
    length is nonzero, but also that it does not exceed the size of the stack
    buffer we're copying it into.
    
    While we're at it, use a union to create a buffer of the exact size we
    need instead of guessing that 2048 will be enough (and not too much).
    
    Finally, check the size of the payload once it gets to where it's used.
    
    MFC after:      3 days
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    cy
    Differential Revision:  https://reviews.freebsd.org/D54194
    
    (cherry picked from commit a34c50fbd2a52bb63acde82e5aec4cb57880e39b)
---
 sbin/ipf/libipf/interror.c             |  5 ++++
 sys/netpfil/ipfilter/netinet/ip_sync.c | 51 ++++++++++++++++++++++++----------
 2 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c
index 6d8c313ceb8b..ecb813aec853 100644
--- a/sbin/ipf/libipf/interror.c
+++ b/sbin/ipf/libipf/interror.c
@@ -472,6 +472,11 @@ log" },
 	{	110019,	"sync update could not find NAT entry" },
 	{	110020,	"unrecognised sync NAT command" },
 	{	110021,	"ioctls are not handled with sync" },
+	/* missing entries 110022-110024 */
+	{	110025,	"invalid payload length (sync create state)" },
+	{	110026,	"invalid payload length (sync update state)" },
+	{	110027,	"invalid payload length (sync create NAT)" },
+	{	110028,	"invalid payload length (sync update NAT)" },
 /* -------------------------------------------------------------------------- */
 	{	120001,	"null data pointer for iterator" },
 	{	120002,	"unit outside of acceptable range" },
diff --git a/sys/netpfil/ipfilter/netinet/ip_sync.c b/sys/netpfil/ipfilter/netinet/ip_sync.c
index b7afe45c8f7e..51b2e544ec52 100644
--- a/sys/netpfil/ipfilter/netinet/ip_sync.c
+++ b/sys/netpfil/ipfilter/netinet/ip_sync.c
@@ -412,13 +412,16 @@ ipf_sync_write(ipf_main_softc_t *softc, struct uio *uio)
 {
 	ipf_sync_softc_t *softs = softc->ipf_sync_soft;
 	synchdr_t sh;
-
-	/*
-	 * THIS MUST BE SUFFICIENT LARGE TO STORE
-	 * ANY POSSIBLE DATA TYPE
-	 */
-	char data[2048];
-
+	union ipf_sync_data {
+		union ipf_sync_state_data {
+			ipstate_t create;
+			synctcp_update_t update;
+		} state;
+		union ipf_sync_nat_data {
+			nat_t create;
+			syncupdent_t update;
+		} nat;
+	} data;
 	int err = 0;
 
 #  if defined(__NetBSD__) || defined(__FreeBSD__)
@@ -497,18 +500,18 @@ ipf_sync_write(ipf_main_softc_t *softc, struct uio *uio)
 		 * needed for the request
 		 */
 
-		/* not supported */
-		if (sh.sm_len == 0) {
+		/* too short or too long */
+		if (sh.sm_len == 0 || sh.sm_len > sizeof(data)) {
 			if (softs->ipf_sync_debug > 2)
-				printf("uiomove(data zero length %s\n",
-					"not supported");
+				printf("uiomove(data) invalid length %d\n",
+					sh.sm_len);
 			IPFERROR(110006);
 			return (EINVAL);
 		}
 
 		if (uio->uio_resid >= sh.sm_len) {
 
-			err = UIOMOVE(data, sh.sm_len, UIO_WRITE, uio);
+			err = UIOMOVE(&data, sh.sm_len, UIO_WRITE, uio);
 
 			if (err) {
 				if (softs->ipf_sync_debug > 2)
@@ -522,9 +525,9 @@ ipf_sync_write(ipf_main_softc_t *softc, struct uio *uio)
 					sh.sm_len);
 
 			if (sh.sm_table == SMC_STATE)
-				err = ipf_sync_state(softc, &sh, data);
+				err = ipf_sync_state(softc, &sh, &data);
 			else if (sh.sm_table == SMC_NAT)
-				err = ipf_sync_nat(softc, &sh, data);
+				err = ipf_sync_nat(softc, &sh, &data);
 			if (softs->ipf_sync_debug > 7)
 				printf("[%d] Finished with error %d\n",
 					sh.sm_num, err);
@@ -654,6 +657,11 @@ ipf_sync_state(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 	{
 	case SMC_CREATE :
 
+		if (sp->sm_len != sizeof(sn)) {
+			IPFERROR(110025);
+			err = EINVAL;
+			break;
+		}
 		bcopy(data, &sn, sizeof(sn));
 		KMALLOC(is, ipstate_t *);
 		if (is == NULL) {
@@ -720,6 +728,11 @@ ipf_sync_state(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 		break;
 
 	case SMC_UPDATE :
+		if (sp->sm_len != sizeof(su)) {
+			IPFERROR(110026);
+			err = EINVAL;
+			break;
+		}
 		bcopy(data, &su, sizeof(su));
 
 		if (softs->ipf_sync_debug > 4)
@@ -895,6 +908,11 @@ ipf_sync_nat(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 			break;
 		}
 
+		if (sp->sm_len != sizeof(*nat)) {
+			IPFERROR(110027);
+			err = EINVAL;
+			break;
+		}
 		nat = (nat_t *)data;
 		bzero((char *)n, offsetof(nat_t, nat_age));
 		bcopy((char *)&nat->nat_age, (char *)&n->nat_age,
@@ -918,6 +936,11 @@ ipf_sync_nat(ipf_main_softc_t *softc, synchdr_t *sp, void *data)
 		break;
 
 	case SMC_UPDATE :
+		if (sp->sm_len != sizeof(su)) {
+			IPFERROR(110028);
+			err = EINVAL;
+			break;
+		}
 		bcopy(data, &su, sizeof(su));
 
 		for (sl = softs->syncnattab[hv]; (sl != NULL);