The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=d78f36183a26e2652228c2f7e673ad1b58b3770a
commit d78f36183a26e2652228c2f7e673ad1b58b3770a Author: Cy Schubert <[email protected]> AuthorDate: 2025-10-22 15:59:26 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2025-10-26 03:14:51 +0000 ipfilter: Plug ip_nat kernel information leak ipf_nat_getent() allocates a variable-sized nat_save_t buffer with KMALLOCS() (which does not zero memory) and then copies only a subset of fields into it before returning the object to userland using ipf_outobjsz(). Because the structure is not fully initialized on all paths, uninitialized kernel heap bytes can be copied back to user space, resulting in an information leak. We fix this by zeroing out the data structure immediately after allocation. Reported by: Ilja Van Sprundel <[email protected]> Reviewed by: emaste Differential revision: https://reviews.freebsd.org/D53274 (cherry picked from commit 6535e9308a26e17023831fe68fb71d2febf2a002) --- sys/netpfil/ipfilter/netinet/ip_nat.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 290af20e4765..3f8f3c2a342c 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1775,6 +1775,7 @@ ipf_nat_getent(ipf_main_softc_t *softc, caddr_t data, int getlock) IPFERROR(60029); return (ENOMEM); } + bzero(ipn, ipns.ipn_dsize); if (getlock) { READ_ENTER(&softc->ipf_nat);
