ipfilter: Don't trust userland supplied iph_sizeHEADmain

ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
without checking for integer overflow. A sufficiently large iph_size
causes the multiplication to wrap, resulting in an under-sized allocation
for the table pointer array. Subsequent code (e.g., in ipf_htent_insert())
can then write past the end of the allocated buffer, corrupting kernel
memory and causing DoS or potential privilege escalation.

This is not typically a problem when using the ipfilter provided
userland tools as calculate the correct lengths. This mitigates a
rogue actor calling ipfilter ioctls directly.

Reported by:		Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:		markj
MFC after:		1 week
Differential revision:	https://reviews.freebsd.org/D53286

0 files changed, 0 insertions, 0 deletions