net/igmpproxy: Fix buffer overflow and use after free

Taken from upstream pull requests: https://github.com/pali/igmpproxy/pull/98 https://github.com/pali/igmpproxy/pull/99 PR: 291642 MFH: 2025Q4
2026-06-02 11:08:52 +00:00 · 2025-07-13 22:48:24 +00:00
parent 81e7ef04a4
commit a0bac3ef72
3 changed files with 56 additions and 2 deletions
@@ -1,6 +1,6 @@
 PORTNAME=	igmpproxy
 DISTVERSION=	0.4
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	net

@@ -15,7 +15,6 @@ USES=		autoreconf
 USE_GITHUB=	yes
 GH_ACCOUNT=	pali
 GNU_CONFIGURE=	yes
-GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
 USE_RC_SUBR=	igmpproxy

 post-install:
@@ -0,0 +1,22 @@
+From 2b30c36e6ab5b21defb76ec6458ab7687984484c Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 19:02:16 +0200
+Subject: [PATCH] Fix Buffer Overflow #97
+
+---
+ src/igmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/igmp.c b/src/igmp.c
+index a80c4e5..838694c 100644
+--- src/igmp.c
+++ src/igmp.c
+@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, unsigned int code) {
+     case IGMP_V2_LEAVE_GROUP:        return "Leave message     ";
+ 
+     default:
+-        sprintf(unknown, "unk: 0x%02x/0x%02x    ", type, code);
+        snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x    ", type, code);
+         return unknown;
+     }
+ }
@@ -0,0 +1,33 @@
+From e49fb373da9044dfb00ffbcd3e1f68ca7107af75 Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 18:53:18 +0200
+Subject: [PATCH] Fix use after free(3) in internAgeRoute().
+
+removeRoute(croute) calls free(croute).  Thus, the zeroing of
+croute->ageVifBits afterwards is unnecessary, illegal and an
+undefined behavior.
+---
+ src/rttable.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/rttable.c b/src/rttable.c
+index bcafa3fe..04e24f3b 100644
+--- src/rttable.c
+++ src/rttable.c
+@@ -704,13 +704,15 @@ int internAgeRoute(struct RouteTable*  croute) {
+ 
+             // No activity was registered within the timelimit, so remove the route.
+             removeRoute(croute);
+            croute = NULL;
+         }
+         // Tell that the route was updated...
+         result = 1;
+     }
+ 
+     // The aging vif bits must be reset for each round...
+-    BIT_ZERO(croute->ageVifBits);
+    if (croute != NULL)
+        BIT_ZERO(croute->ageVifBits);
+ 
+     return result;
+ }