git: 32919a34f17a - main - net: Validate interface group names in ioctl handlers

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 27 Oct 2025 16:39:07 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=32919a34f17ac1af99dec7376f22a8393c251602

commit 32919a34f17ac1af99dec7376f22a8393c251602
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-10-27 16:27:13 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-10-27 16:27:13 +0000

    net: Validate interface group names in ioctl handlers
    
    The handlers were not checking that the group names are nul-terminated.
    Add checks for this.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    zlei
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53344
---
 sys/net/if.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/sys/net/if.c b/sys/net/if.c
index b6a798aa0fab..cb9c47c14c32 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -2842,15 +2842,20 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 		break;
 
 	case SIOCAIFGROUP:
+	{
+		const char *groupname;
+
 		error = priv_check(td, PRIV_NET_ADDIFGROUP);
 		if (error)
 			return (error);
-		error = if_addgroup(ifp,
-		    ((struct ifgroupreq *)data)->ifgr_group);
+		groupname = ((struct ifgroupreq *)data)->ifgr_group;
+		if (strnlen(groupname, IFNAMSIZ) == IFNAMSIZ)
+			return (EINVAL);
+		error = if_addgroup(ifp, groupname);
 		if (error != 0)
 			return (error);
 		break;
-
+	}
 	case SIOCGIFGROUP:
 	{
 		struct epoch_tracker et;
@@ -2862,15 +2867,20 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 	}
 
 	case SIOCDIFGROUP:
+	{
+		const char *groupname;
+
 		error = priv_check(td, PRIV_NET_DELIFGROUP);
 		if (error)
 			return (error);
-		error = if_delgroup(ifp,
-		    ((struct ifgroupreq *)data)->ifgr_group);
+		groupname = ((struct ifgroupreq *)data)->ifgr_group;
+		if (strnlen(groupname, IFNAMSIZ) == IFNAMSIZ)
+			return (EINVAL);
+		error = if_delgroup(ifp, groupname);
 		if (error != 0)
 			return (error);
 		break;
-
+	}
 	default:
 		error = ENOIOCTL;
 		break;
@@ -3014,9 +3024,17 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
 		goto out_noref;
 
 	case SIOCGIFGMEMB:
-		error = if_getgroupmembers((struct ifgroupreq *)data);
-		goto out_noref;
+	{
+		struct ifgroupreq *req;
 
+		req = (struct ifgroupreq *)data;
+		if (strnlen(req->ifgr_name, IFNAMSIZ) == IFNAMSIZ) {
+			error = EINVAL;
+			goto out_noref;
+		}
+		error = if_getgroupmembers(req);
+		goto out_noref;
+	}
 #if defined(INET) || defined(INET6)
 	case SIOCSVH:
 	case SIOCGVH: