diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2025-10-22 15:59:26 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2025-10-23 22:56:28 +0000 |
| commit | 6535e9308a26e17023831fe68fb71d2febf2a002 (patch) | |
| tree | 9fa86b7ef2ddc6d5ce96cb4ce35d577a31ec8060 | |
| parent | bbe65c5e8c0e89ec14cb5d00153691850dadb859 (diff) | |
ipfilter: Plug ip_nat kernel information leak
ipf_nat_getent() allocates a variable-sized nat_save_t buffer with
KMALLOCS() (which does not zero memory) and then copies only a subset
of fields into it before returning the object to userland using
ipf_outobjsz(). Because the structure is not fully initialized on all
paths, uninitialized kernel heap bytes can be copied back to user space,
resulting in an information leak.
We fix this by zeroing out the data structure immediately after
allocation.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: emaste
MFC after: 3 days
Differential revision: https://reviews.freebsd.org/D53274
| -rw-r--r-- | sys/netpfil/ipfilter/netinet/ip_nat.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 972511f43bd5..53c180cdfbca 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1771,6 +1771,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock) IPFERROR(60029); return (ENOMEM); } + bzero(ipn, ipns.ipn_dsize); if (getlock) { READ_ENTER(&softc->ipf_nat); |