ipfilter: Avoid negative array indicies

Array indices must always be posive. We avoid this by making each index
unsigned. This mitigates out-of-bounds reads and writes.

Reported by:		Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:		glebius
MFC after:		3 days
Differential revision:	https://reviews.freebsd.org/D55260
This commit is contained in:
Cy Schubert
2026-02-11 11:30:38 -08:00
parent fba81b33aa
commit 3fdbd8a07a
3 changed files with 4 additions and 4 deletions
+2 -2
View File
@@ -8530,7 +8530,7 @@ ipf_matcharray_load(ipf_main_softc_t *softc, caddr_t data, ipfobj_t *objp,
int
ipf_matcharray_verify(int *array, int arraysize)
{
int i, nelem, maxidx;
u_int i, nelem, maxidx;
ipfexp_t *e;
nelem = arraysize / sizeof(*array);
@@ -8591,7 +8591,7 @@ ipf_matcharray_verify(int *array, int arraysize)
static int
ipf_fr_matcharray(fr_info_t *fin, int *array)
{
int i, n, *x, rv, p;
u_int i, n, *x, rv, p;
ipfexp_t *e;
rv = 0;
+1 -1
View File
@@ -1473,7 +1473,7 @@ typedef struct ipfexp {
int ipfe_cmd;
int ipfe_not;
int ipfe_narg;
int ipfe_size;
u_int ipfe_size;
int ipfe_arg0[1];
} ipfexp_t;
+1 -1
View File
@@ -4910,7 +4910,7 @@ ipf_state_matchflush(ipf_main_softc_t *softc, caddr_t data)
static int
ipf_state_matcharray(ipstate_t *state, int *array, u_long ticks)
{
int i, n, *x, rv, p;
u_int i, n, *x, rv, p;
ipfexp_t *e;
rv = 0;