Date: Tue, 23 Dec 2025 10:55:22 +0000 From: Renato Botelho <garga@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: leper <leper4@protonmail.com> Subject: git: a0bac3ef72b2 - main - net/igmpproxy: Fix buffer overflow and use after free Message-ID: <694a751a.f41d.6ee346e4@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by garga: URL: https://cgit.FreeBSD.org/ports/commit/?id=a0bac3ef72b259e93cafefe1c39e146bbe23fce2 commit a0bac3ef72b259e93cafefe1c39e146bbe23fce2 Author: leper <leper4@protonmail.com> AuthorDate: 2025-07-13 22:48:24 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2025-12-23 10:54:45 +0000 net/igmpproxy: Fix buffer overflow and use after free Taken from upstream pull requests: https://github.com/pali/igmpproxy/pull/98 https://github.com/pali/igmpproxy/pull/99 PR: 291642 MFH: 2025Q4 --- net/igmpproxy/Makefile | 3 +- .../files/patch-fix-buffer-overflow_igmp.c | 22 +++++++++++++++ net/igmpproxy/files/patch-src_rttable.c | 33 ++++++++++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/net/igmpproxy/Makefile b/net/igmpproxy/Makefile index d11554273288..5375fea7dff7 100644 --- a/net/igmpproxy/Makefile +++ b/net/igmpproxy/Makefile @@ -1,6 +1,6 @@ PORTNAME= igmpproxy DISTVERSION= 0.4 -PORTREVISION= 2 +PORTREVISION= 3 PORTEPOCH= 1 CATEGORIES= net @@ -15,7 +15,6 @@ USES= autoreconf USE_GITHUB= yes GH_ACCOUNT= pali GNU_CONFIGURE= yes -GNU_CONFIGURE_MANPREFIX=${PREFIX}/share USE_RC_SUBR= igmpproxy post-install: diff --git a/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c b/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c new file mode 100644 index 000000000000..47f7a0b5866b --- /dev/null +++ b/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c @@ -0,0 +1,22 @@ +From 2b30c36e6ab5b21defb76ec6458ab7687984484c Mon Sep 17 00:00:00 2001 +From: Jan Klemkow <j.klemkow@wemelug.de> +Date: Thu, 17 Apr 2025 19:02:16 +0200 +Subject: [PATCH] Fix Buffer Overflow #97 + +--- + src/igmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/igmp.c b/src/igmp.c +index a80c4e5..838694c 100644 +--- src/igmp.c ++++ src/igmp.c +@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, unsigned int code) { + case IGMP_V2_LEAVE_GROUP: return "Leave message "; + + default: +- sprintf(unknown, "unk: 0x%02x/0x%02x ", type, code); ++ snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x ", type, code); + return unknown; + } + } diff --git a/net/igmpproxy/files/patch-src_rttable.c b/net/igmpproxy/files/patch-src_rttable.c new file mode 100644 index 000000000000..14cdf8b868fe --- /dev/null +++ b/net/igmpproxy/files/patch-src_rttable.c @@ -0,0 +1,33 @@ +From e49fb373da9044dfb00ffbcd3e1f68ca7107af75 Mon Sep 17 00:00:00 2001 +From: Jan Klemkow <j.klemkow@wemelug.de> +Date: Thu, 17 Apr 2025 18:53:18 +0200 +Subject: [PATCH] Fix use after free(3) in internAgeRoute(). + +removeRoute(croute) calls free(croute). Thus, the zeroing of +croute->ageVifBits afterwards is unnecessary, illegal and an +undefined behavior. +--- + src/rttable.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/rttable.c b/src/rttable.c +index bcafa3fe..04e24f3b 100644 +--- src/rttable.c ++++ src/rttable.c +@@ -704,13 +704,15 @@ int internAgeRoute(struct RouteTable* croute) { + + // No activity was registered within the timelimit, so remove the route. + removeRoute(croute); ++ croute = NULL; + } + // Tell that the route was updated... + result = 1; + } + + // The aging vif bits must be reset for each round... +- BIT_ZERO(croute->ageVifBits); ++ if (croute != NULL) ++ BIT_ZERO(croute->ageVifBits); + + return result; + }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?694a751a.f41d.6ee346e4>