ipfilter: Avoid negative array indicies

Array indices must always be posive. We avoid this by making each index
unsigned. This mitigates out-of-bounds reads and writes.

Reported by:		Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:		glebius
MFC after:		3 days
Differential revision:	https://reviews.freebsd.org/D55260

3 files changed, 4 insertions, 4 deletions

diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
index 657097ca7b85..9217572aac50 100644
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -8530,7 +8530,7 @@ ipf_matcharray_load(ipf_main_softc_t *softc, caddr_t data, ipfobj_t *objp,
 int
 ipf_matcharray_verify(int *array, int arraysize)
 {
-	int i, nelem, maxidx;
+	u_int i, nelem, maxidx;
 	ipfexp_t *e;
 
 	nelem = arraysize / sizeof(*array);
@@ -8591,7 +8591,7 @@ ipf_matcharray_verify(int *array, int arraysize)
 static int
 ipf_fr_matcharray(fr_info_t *fin, int *array)
 {
-	int i, n, *x, rv, p;
+	u_int i, n, *x, rv, p;
 	ipfexp_t *e;
 
 	rv = 0;
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil.h b/sys/netpfil/ipfilter/netinet/ip_fil.h
index 81ad50373fe9..dbfc045a8646 100644
--- a/sys/netpfil/ipfilter/netinet/ip_fil.h
+++ b/sys/netpfil/ipfilter/netinet/ip_fil.h
@@ -1473,7 +1473,7 @@ typedef struct ipfexp {
 	int		ipfe_cmd;
 	int		ipfe_not;
 	int		ipfe_narg;
-	int		ipfe_size;
+	u_int		ipfe_size;
 	int		ipfe_arg0[1];
 } ipfexp_t;
 
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
index 8a21e7593995..c8d6e4e0feb3 100644
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -4910,7 +4910,7 @@ ipf_state_matchflush(ipf_main_softc_t *softc, caddr_t data)
 static int
 ipf_state_matcharray(ipstate_t *state, int *array, u_long ticks)
 {
-	int i, n, *x, rv, p;
+	u_int i, n, *x, rv, p;
 	ipfexp_t *e;
 
 	rv = 0;