git: a0bac3ef72b2 - main - net/igmpproxy: Fix buffer overflow and use after free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 23 Dec 2025 10:55:22 UTC
The branch main has been updated by garga:
URL: https://cgit.FreeBSD.org/ports/commit/?id=a0bac3ef72b259e93cafefe1c39e146bbe23fce2
commit a0bac3ef72b259e93cafefe1c39e146bbe23fce2
Author: leper <leper4@protonmail.com>
AuthorDate: 2025-07-13 22:48:24 +0000
Commit: Renato Botelho <garga@FreeBSD.org>
CommitDate: 2025-12-23 10:54:45 +0000
net/igmpproxy: Fix buffer overflow and use after free
Taken from upstream pull requests:
https://github.com/pali/igmpproxy/pull/98
https://github.com/pali/igmpproxy/pull/99
PR: 291642
MFH: 2025Q4
---
net/igmpproxy/Makefile | 3 +-
.../files/patch-fix-buffer-overflow_igmp.c | 22 +++++++++++++++
net/igmpproxy/files/patch-src_rttable.c | 33 ++++++++++++++++++++++
3 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/net/igmpproxy/Makefile b/net/igmpproxy/Makefile
index d11554273288..5375fea7dff7 100644
--- a/net/igmpproxy/Makefile
+++ b/net/igmpproxy/Makefile
@@ -1,6 +1,6 @@
PORTNAME= igmpproxy
DISTVERSION= 0.4
-PORTREVISION= 2
+PORTREVISION= 3
PORTEPOCH= 1
CATEGORIES= net
@@ -15,7 +15,6 @@ USES= autoreconf
USE_GITHUB= yes
GH_ACCOUNT= pali
GNU_CONFIGURE= yes
-GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
USE_RC_SUBR= igmpproxy
post-install:
diff --git a/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c b/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c
new file mode 100644
index 000000000000..47f7a0b5866b
--- /dev/null
+++ b/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c
@@ -0,0 +1,22 @@
+From 2b30c36e6ab5b21defb76ec6458ab7687984484c Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 19:02:16 +0200
+Subject: [PATCH] Fix Buffer Overflow #97
+
+---
+ src/igmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/igmp.c b/src/igmp.c
+index a80c4e5..838694c 100644
+--- src/igmp.c
++++ src/igmp.c
+@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, unsigned int code) {
+ case IGMP_V2_LEAVE_GROUP: return "Leave message ";
+
+ default:
+- sprintf(unknown, "unk: 0x%02x/0x%02x ", type, code);
++ snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x ", type, code);
+ return unknown;
+ }
+ }
diff --git a/net/igmpproxy/files/patch-src_rttable.c b/net/igmpproxy/files/patch-src_rttable.c
new file mode 100644
index 000000000000..14cdf8b868fe
--- /dev/null
+++ b/net/igmpproxy/files/patch-src_rttable.c
@@ -0,0 +1,33 @@
+From e49fb373da9044dfb00ffbcd3e1f68ca7107af75 Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 18:53:18 +0200
+Subject: [PATCH] Fix use after free(3) in internAgeRoute().
+
+removeRoute(croute) calls free(croute). Thus, the zeroing of
+croute->ageVifBits afterwards is unnecessary, illegal and an
+undefined behavior.
+---
+ src/rttable.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/rttable.c b/src/rttable.c
+index bcafa3fe..04e24f3b 100644
+--- src/rttable.c
++++ src/rttable.c
+@@ -704,13 +704,15 @@ int internAgeRoute(struct RouteTable* croute) {
+
+ // No activity was registered within the timelimit, so remove the route.
+ removeRoute(croute);
++ croute = NULL;
+ }
+ // Tell that the route was updated...
+ result = 1;
+ }
+
+ // The aging vif bits must be reset for each round...
+- BIT_ZERO(croute->ageVifBits);
++ if (croute != NULL)
++ BIT_ZERO(croute->ageVifBits);
+
+ return result;
+ }