git: 15c33b64ac2d - stable/13 - ipfilter: Fix possible overrun

The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=15c33b64ac2d6a6201cb819da184d0f4028d7632

commit 15c33b64ac2d6a6201cb819da184d0f4028d7632
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2026-02-04 17:27:23 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-02-20 02:24:26 +0000

    ipfilter: Fix possible overrun
    
    The destination buffer is FR_GROUPLEN (16 bytes) in length. When
    gname is created, the userspace utilities correctly use FR_GROUPLEN
    as the buffer length. The kernel should also limit its copy operation to
    FR_GROUPLEN bytes to avoid any user written code from exploiting this
    vulnerability.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    
    (cherry picked from commit e40817302ebdf89df2f3bcd679fb7f2a18c244dc)
---
 sys/netpfil/ipfilter/netinet/fil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
index b2d84ce1fefc..cf21c68b7b46 100644
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -3507,7 +3507,7 @@ ipf_group_add(ipf_main_softc_t *softc, char *group, void *head, u_32_t flags,
 		fg->fg_head = head;
 		fg->fg_start = NULL;
 		fg->fg_next = *fgp;
-		bcopy(group, fg->fg_name, strlen(group) + 1);
+		bcopy(group, fg->fg_name, strnlen(group, FR_GROUPLEN) + 1);
 		fg->fg_flags = gflags;
 		fg->fg_ref = 1;
 		fg->fg_set = &softc->ipf_groups[unit][set];