net/igmpproxy: Fix buffer overflow and use after free

leper · rbgarga · commit a73455f3cd38 · 2025-12-23T07:55:50.000-03:00
Taken from upstream pull requests: pali/igmpproxy#98 pali/igmpproxy#99 PR: 291642 MFH: 2025Q4 (cherry picked from commit a0bac3e)
diff --git a/net/igmpproxy/Makefile b/net/igmpproxy/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	igmpproxy
 DISTVERSION=	0.4
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	net
 
@@ -15,7 +15,6 @@ USES=		autoreconf
 USE_GITHUB=	yes
 GH_ACCOUNT=	pali
 GNU_CONFIGURE=	yes
-GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
 USE_RC_SUBR=	igmpproxy
 
 post-install:
diff --git a/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c b/net/igmpproxy/files/patch-fix-buffer-overflow_igmp.c
@@ -0,0 +1,22 @@
+From 2b30c36e6ab5b21defb76ec6458ab7687984484c Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 19:02:16 +0200
+Subject: [PATCH] Fix Buffer Overflow #97
+
+---
+ src/igmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/igmp.c b/src/igmp.c
+index a80c4e5..838694c 100644
+--- src/igmp.c
++++ src/igmp.c
+@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, unsigned int code) {
+     case IGMP_V2_LEAVE_GROUP:        return "Leave message     ";
+ 
+     default:
+-        sprintf(unknown, "unk: 0x%02x/0x%02x    ", type, code);
++        snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x    ", type, code);
+         return unknown;
+     }
+ }
diff --git a/net/igmpproxy/files/patch-src_rttable.c b/net/igmpproxy/files/patch-src_rttable.c
@@ -0,0 +1,33 @@
+From e49fb373da9044dfb00ffbcd3e1f68ca7107af75 Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 18:53:18 +0200
+Subject: [PATCH] Fix use after free(3) in internAgeRoute().
+
+removeRoute(croute) calls free(croute).  Thus, the zeroing of
+croute->ageVifBits afterwards is unnecessary, illegal and an
+undefined behavior.
+---
+ src/rttable.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/rttable.c b/src/rttable.c
+index bcafa3fe..04e24f3b 100644
+--- src/rttable.c
++++ src/rttable.c
+@@ -704,13 +704,15 @@ int internAgeRoute(struct RouteTable*  croute) {
+ 
+             // No activity was registered within the timelimit, so remove the route.
+             removeRoute(croute);
++            croute = NULL;
+         }
+         // Tell that the route was updated...
+         result = 1;
+     }
+ 
+     // The aging vif bits must be reset for each round...
+-    BIT_ZERO(croute->ageVifBits);
++    if (croute != NULL)
++        BIT_ZERO(croute->ageVifBits);
+ 
+     return result;
+ }
