git: 2e6b22abf44d - main - ipfw/nat64: Fix type confusion panic when using wrong NAT64 instance type

Mon, 22 Jun 2026 15:16:00 -0700 

The branch main has been updated by pouria:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=2e6b22abf44d99b84abf17fe25ca2e8f89716c04

commit 2e6b22abf44d99b84abf17fe25ca2e8f89716c04
Author:     Teddy Engel <[email protected]>
AuthorDate: 2026-06-02 16:24:57 +0000
Commit:     Pouria Mousavizadeh Tehrani <[email protected]>
CommitDate: 2026-06-22 22:15:36 +0000

    ipfw/nat64: Fix type confusion panic when using wrong NAT64 instance type
    
    Add etlv type validation to ipfw_nat64clat() and ipfw_nat64stl() to
    verify that the retrieved instance is actually a nat64clat instance
    before use.
    
    All NAT64 instance types share the same srvstate[] array but have
    different struct layouts.
    Without type validation, using the wrong instance type with
    a handler causes type confusion and kernel panic.
    
    Signed-off-by:  Teddy Engel <[email protected]>
    PR:             292023
    Reviewed by:    pouria
    Pull Request:   https://github.com/freebsd/freebsd-src/pull/2259
---
 sys/netpfil/ipfw/nat64/nat64clat.c | 3 ++-
 sys/netpfil/ipfw/nat64/nat64stl.c  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/ipfw/nat64/nat64clat.c 
b/sys/netpfil/ipfw/nat64/nat64clat.c
index c458f85755d3..15d052549792 100644
--- a/sys/netpfil/ipfw/nat64/nat64clat.c
+++ b/sys/netpfil/ipfw/nat64/nat64clat.c
@@ -214,7 +214,8 @@ ipfw_nat64clat(struct ip_fw_chain *chain, struct ip_fw_args 
*args,
        if (cmd->opcode != O_EXTERNAL_ACTION ||
            insntod(cmd, kidx)->kidx != V_nat64clat_eid ||
            icmd->opcode != O_EXTERNAL_INSTANCE ||
-           (cfg = NAT64_LOOKUP(chain, icmd)) == NULL)
+           (cfg = NAT64_LOOKUP(chain, icmd)) == NULL ||
+           cfg->no.etlv != IPFW_TLV_NAT64CLAT_NAME)
                return (0);
 
        switch (args->f_id.addr_type) {
diff --git a/sys/netpfil/ipfw/nat64/nat64stl.c 
b/sys/netpfil/ipfw/nat64/nat64stl.c
index c1ca2dfd5e13..305ba1e9e8dc 100644
--- a/sys/netpfil/ipfw/nat64/nat64stl.c
+++ b/sys/netpfil/ipfw/nat64/nat64stl.c
@@ -217,7 +217,8 @@ ipfw_nat64stl(struct ip_fw_chain *chain, struct ip_fw_args 
*args,
        if (cmd->opcode != O_EXTERNAL_ACTION ||
            insntod(cmd, kidx)->kidx != V_nat64stl_eid ||
            icmd->opcode != O_EXTERNAL_INSTANCE ||
-           (cfg = NAT64_LOOKUP(chain, icmd)) == NULL)
+           (cfg = NAT64_LOOKUP(chain, icmd)) == NULL ||
+           cfg->no.etlv != IPFW_TLV_NAT64STL_NAME)
                return (0);
 
        switch (args->f_id.addr_type) {

Reply via email to