The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=d3b0843d2cec1650e837c421e39532db24d49714
commit d3b0843d2cec1650e837c421e39532db24d49714 Author: Cy Schubert <[email protected]> AuthorDate: 2025-10-22 15:59:26 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2025-10-26 03:14:08 +0000 ipfilter: Plug ip_nat kernel information leak ipf_nat_getent() allocates a variable-sized nat_save_t buffer with KMALLOCS() (which does not zero memory) and then copies only a subset of fields into it before returning the object to userland using ipf_outobjsz(). Because the structure is not fully initialized on all paths, uninitialized kernel heap bytes can be copied back to user space, resulting in an information leak. We fix this by zeroing out the data structure immediately after allocation. Reported by: Ilja Van Sprundel <[email protected]> Reviewed by: emaste Differential revision: https://reviews.freebsd.org/D53274 (cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002) --- sys/netpfil/ipfilter/netinet/ip_nat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 972511f43bd5..53c180cdfbca 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1771,6 +1771,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock) IPFERROR(60029); return (ENOMEM); } + bzero(ipn, ipns.ipn_dsize); if (getlock) { READ_ENTER(&softc->ipf_nat);
