diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2025-10-22 16:29:03 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2025-10-23 22:56:28 +0000 |
| commit | 0d589ecbc7aa916537fd21c0344919491cfcb293 (patch) | |
| tree | a33e2b299c48aa2c316a3a1e3fe6485d7ad59b1d | |
| parent | 6535e9308a26e17023831fe68fb71d2febf2a002 (diff) | |
ipfilter: Plug ip_htable kernel information leak
ipf_htable_stats_get() constructs an iphtstat_t on the stack and only
initializes select fields before copying the entire structure to
userland. The trailing padding array iphs_pad[16] is never initialized,
so ~128 bytes of uninitialized kernel stack memory can be leaked to user
space on each call. This is a classic information disclosure
vulnerability that can reveal pointers and other sensitive data.
We fix this by zeroing out the data structure prior to use.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
MFC after: 3 days
Differential revision: https://reviews.freebsd.org/D53275
| -rw-r--r-- | sys/netpfil/ipfilter/netinet/ip_htable.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netpfil/ipfilter/netinet/ip_htable.c b/sys/netpfil/ipfilter/netinet/ip_htable.c index 91b375f80db1..3f765cfab947 100644 --- a/sys/netpfil/ipfilter/netinet/ip_htable.c +++ b/sys/netpfil/ipfilter/netinet/ip_htable.c @@ -230,6 +230,8 @@ ipf_htable_stats_get(ipf_main_softc_t *softc, void *arg, iplookupop_t *op) return (EINVAL); } + bzero(&stats, sizeof(stats)); + stats.iphs_tables = softh->ipf_htables[op->iplo_unit + 1]; stats.iphs_numtables = softh->ipf_nhtables[op->iplo_unit + 1]; stats.iphs_numnodes = softh->ipf_nhtnodes[op->iplo_unit + 1]; |