diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2025-10-22 23:19:54 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2025-11-12 04:02:31 +0000 |
| commit | dbe0b2c986cbd4c01d5ba5a3b367aba9740c137b (patch) | |
| tree | 1fb066da67bb0c01c91c3f52c866b33714622f6c | |
| parent | e82f63c7257e561a1b2b826b2712cec32eb9c787 (diff) | |
ipfilter: Don't trust userland supplied iph_size
ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
without checking for integer overflow. A sufficiently large iph_size
causes the multiplication to wrap, resulting in an under-sized allocation
for the table pointer array. Subsequent code (e.g., in ipf_htent_insert())
can then write past the end of the allocated buffer, corrupting kernel
memory and causing DoS or potential privilege escalation.
This is not typically a problem when using the ipfilter provided
userland tools as calculate the correct lengths. This mitigates a
rogue actor calling ipfilter ioctls directly.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D53286
(cherry picked from commit df381bec2d2b73697a3d163177df042dd272022d)
| -rw-r--r-- | sbin/ipf/libipf/interror.c | 2 | ||||
| -rw-r--r-- | sys/netpfil/ipfilter/netinet/ip_htable.c | 9 |
2 files changed, 11 insertions, 0 deletions
diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c index c2a0fa269149..6d8c313ceb8b 100644 --- a/sbin/ipf/libipf/interror.c +++ b/sbin/ipf/libipf/interror.c @@ -228,6 +228,8 @@ static ipf_error_entry_t ipf_errors[] = { { 30024, "object size incorrect for hash table" }, { 30025, "hash table size must be at least 1"}, { 30026, "cannot allocate memory for hash table context" }, + { 30027, "hash table larger than maximum allowed" }, + { 30028, "hash table multiplication overflow" }, /* -------------------------------------------------------------------------- */ { 40001, "invalid minor device numebr for log read" }, { 40002, "read size too small" }, diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 28b3e7e82cec..fc0044651c70 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -366,6 +366,15 @@ ipf_htable_create(ipf_main_softc_t *softc, void *arg, iplookupop_t *op) iph->iph_name[sizeof(iph->iph_name) - 1] = '\0'; } + if ((iph->iph_size == 0) || + (iph->iph_size > softh->ipf_htable_size_max)) { + IPFERROR(30027); + return (EINVAL); + } + if (iph->iph_size > ( SIZE_MAX / sizeof(*iph->iph_table))) { + IPFERROR(30028); + return (EINVAL); + } KMALLOCS(iph->iph_table, iphtent_t **, iph->iph_size * sizeof(*iph->iph_table)); if (iph->iph_table == NULL) { |