Date: Fri, 14 Nov 2025 04:11:34 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 794a904b454b - stable/14 - ipfilter: Don't trust userland supplied iph_size Message-ID: <202511140411.5AE4BYXQ083712@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=794a904b454b22c27cea04d209a5fc74972b0fa6 commit 794a904b454b22c27cea04d209a5fc74972b0fa6 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-10-22 23:19:54 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-11-14 04:11:16 +0000 ipfilter: Don't trust userland supplied iph_size ipf_htable_create() trusts a user-supplied iph_size from iphtable_t and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table) without checking for integer overflow. A sufficiently large iph_size causes the multiplication to wrap, resulting in an under-sized allocation for the table pointer array. Subsequent code (e.g., in ipf_htent_insert()) can then write past the end of the allocated buffer, corrupting kernel memory and causing DoS or potential privilege escalation. This is not typically a problem when using the ipfilter provided userland tools as calculate the correct lengths. This mitigates a rogue actor calling ipfilter ioctls directly. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: markj Differential revision: https://reviews.freebsd.org/D53286 (cherry picked from commit df381bec2d2b73697a3d163177df042dd272022d) --- sbin/ipf/libipf/interror.c | 2 ++ sys/netpfil/ipfilter/netinet/ip_htable.c | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c index 04fc53c863fe..5b3836f36d60 100644 --- a/sbin/ipf/libipf/interror.c +++ b/sbin/ipf/libipf/interror.c @@ -228,6 +228,8 @@ static ipf_error_entry_t ipf_errors[] = { { 30024, "object size incorrect for hash table" }, { 30025, "hash table size must be at least 1"}, { 30026, "cannot allocate memory for hash table context" }, + { 30027, "hash table larger than maximum allowed" }, + { 30028, "hash table multiplication overflow" }, /* -------------------------------------------------------------------------- */ { 40001, "invalid minor device number for log read" }, { 40002, "read size too small" }, diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 94741d589601..ca9e96698245 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -364,6 +364,15 @@ ipf_htable_create(ipf_main_softc_t *softc, void *arg, iplookupop_t *op) iph->iph_name[sizeof(iph->iph_name) - 1] = '\0'; } + if ((iph->iph_size == 0) || + (iph->iph_size > softh->ipf_htable_size_max)) { + IPFERROR(30027); + return (EINVAL); + } + if (iph->iph_size > ( SIZE_MAX / sizeof(*iph->iph_table))) { + IPFERROR(30028); + return (EINVAL); + } KMALLOCS(iph->iph_table, iphtent_t **, iph->iph_size * sizeof(*iph->iph_table)); if (iph->iph_table == NULL) {home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511140411.5AE4BYXQ083712>