git: 763f18140d37 - stable/14 - net: Validate interface group names in ioctl handlers

Tue, 04 Nov 2025 05:25:09 -0800 

The branch stable/14 has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=763f18140d37d848aa6647e88f36dc468207c41d

commit 763f18140d37d848aa6647e88f36dc468207c41d
Author:     Mark Johnston <[email protected]>
AuthorDate: 2025-10-27 16:27:13 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2025-11-04 13:24:42 +0000

    net: Validate interface group names in ioctl handlers
    
    The handlers were not checking that the group names are nul-terminated.
    Add checks for this.
    
    Reported by:    Ilja Van Sprundel <[email protected]>
    Reviewed by:    zlei
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53344
    
    (cherry picked from commit 32919a34f17ac1af99dec7376f22a8393c251602)
---
 sys/net/if.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/sys/net/if.c b/sys/net/if.c
index 607bcdd2aa80..0c7e32e858bc 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -2850,15 +2850,20 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, 
struct thread *td)
                break;
 
        case SIOCAIFGROUP:
+       {
+               const char *groupname;
+
                error = priv_check(td, PRIV_NET_ADDIFGROUP);
                if (error)
                        return (error);
-               error = if_addgroup(ifp,
-                   ((struct ifgroupreq *)data)->ifgr_group);
+               groupname = ((struct ifgroupreq *)data)->ifgr_group;
+               if (strnlen(groupname, IFNAMSIZ) == IFNAMSIZ)
+                       return (EINVAL);
+               error = if_addgroup(ifp, groupname);
                if (error != 0)
                        return (error);
                break;
-
+       }
        case SIOCGIFGROUP:
        {
                struct epoch_tracker et;
@@ -2870,15 +2875,20 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, 
struct thread *td)
        }
 
        case SIOCDIFGROUP:
+       {
+               const char *groupname;
+
                error = priv_check(td, PRIV_NET_DELIFGROUP);
                if (error)
                        return (error);
-               error = if_delgroup(ifp,
-                   ((struct ifgroupreq *)data)->ifgr_group);
+               groupname = ((struct ifgroupreq *)data)->ifgr_group;
+               if (strnlen(groupname, IFNAMSIZ) == IFNAMSIZ)
+                       return (EINVAL);
+               error = if_delgroup(ifp, groupname);
                if (error != 0)
                        return (error);
                break;
-
+       }
        default:
                error = ENOIOCTL;
                break;
@@ -3022,9 +3032,17 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, 
struct thread *td)
                goto out_noref;
 
        case SIOCGIFGMEMB:
-               error = if_getgroupmembers((struct ifgroupreq *)data);
-               goto out_noref;
+       {
+               struct ifgroupreq *req;
 
+               req = (struct ifgroupreq *)data;
+               if (strnlen(req->ifgr_name, IFNAMSIZ) == IFNAMSIZ) {
+                       error = EINVAL;
+                       goto out_noref;
+               }
+               error = if_getgroupmembers(req);
+               goto out_noref;
+       }
 #if defined(INET) || defined(INET6)
        case SIOCSVH:
        case SIOCGVH:

Reply via email to