diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2026-02-04 17:27:23 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2026-02-04 20:46:20 +0000 |
| commit | e40817302ebdf89df2f3bcd679fb7f2a18c244dc (patch) | |
| tree | e50cff0b0c7b813daaa91ce4d7709cc744a64c65 | |
| parent | fe8105de1485063a02ff25e686761247f78aaed9 (diff) | |
ipfilter: Fix possible overrun
The destination buffer is FR_GROUPLEN (16 bytes) in length. When
gname is created, the userspace utilities correctly use FR_GROUPLEN
as the buffer length. The kernel should also limit its copy operation to
FR_GROUPLEN bytes to avoid any user written code from exploiting this
vulnerability.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 week
| -rw-r--r-- | sys/netpfil/ipfilter/netinet/fil.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index f8b8ffec7bdd..24ac91c69fc8 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -3503,7 +3503,7 @@ ipf_group_add(ipf_main_softc_t *softc, char *group, void *head, u_32_t flags, fg->fg_head = head; fg->fg_start = NULL; fg->fg_next = *fgp; - bcopy(group, fg->fg_name, strlen(group) + 1); + bcopy(group, fg->fg_name, strnlen(group, FR_GROUPLEN) + 1); fg->fg_flags = gflags; fg->fg_ref = 1; fg->fg_set = &softc->ipf_groups[unit][set]; |