From 5154b2dffcd958dd6da2a93ce83e0a85be0b55d5 Mon Sep 17 00:00:00 2001
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Sat, 9 Jun 2012 17:39:05 +0000
Subject: [PATCH] Validate IPv4 network mask being passed to ipfw kernel
 interface. Incorrect mask can possibly be one of the reasons for kern/127209
 existance.

Approved by:        kib(mentor)
MFC after:          3 days
---
 sys/netinet/ipfw/ip_fw_table.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netinet/ipfw/ip_fw_table.c b/sys/netinet/ipfw/ip_fw_table.c
index 9de5d53d18a..5f4d35079f9 100644
--- a/sys/netinet/ipfw/ip_fw_table.c
+++ b/sys/netinet/ipfw/ip_fw_table.c
@@ -153,6 +153,9 @@ ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr,
 	case IPFW_TABLE_CIDR:
 		if (plen == sizeof(in_addr_t)) {
 #ifdef INET
+			/* IPv4 case */
+			if (mlen > 32)
+				return (EINVAL);
 			ent = malloc(sizeof(*ent), M_IPFW_TBL, M_WAITOK | M_ZERO);
 			ent->value = value;
 			/* Set 'total' structure length */