ipfilter: Fix possible overrun

The destination buffer is FR_GROUPLEN (16 bytes) in length. When
gname is created, the userspace utilities correctly use FR_GROUPLEN
as the buffer length. The kernel should also limit its copy operation to
FR_GROUPLEN bytes to avoid any user written code from exploiting this
vulnerability.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after:	1 week
This commit is contained in:
Cy Schubert
2026-02-04 09:27:23 -08:00
parent fe8105de14
commit e40817302e
+1 -1
View File
@@ -3503,7 +3503,7 @@ ipf_group_add(ipf_main_softc_t *softc, char *group, void *head, u_32_t flags,
fg->fg_head = head;
fg->fg_start = NULL;
fg->fg_next = *fgp;
bcopy(group, fg->fg_name, strlen(group) + 1);
bcopy(group, fg->fg_name, strnlen(group, FR_GROUPLEN) + 1);
fg->fg_flags = gflags;
fg->fg_ref = 1;
fg->fg_set = &softc->ipf_groups[unit][set];