From 4808dd410672950f747c3a9f147cfc7900b24c42 Mon Sep 17 00:00:00 2001
From: Petr Vaganov <petrvaganoff@gmail.com>
Date: Wed, 28 May 2025 18:45:23 +0500
Subject: [PATCH] ipfw: fix integer overflow in dummynet

    Found during fuzzing using AFL++:

    "strtoul()" returns a large positive number or a negative number.
    Next, the sanitizer detects an integer overflow in
    line 555 ("bw*= 1000") or in line 558 ("bw*= 1000000") or
    in line 563 ("bw*= 8"), and the program crashes with
    the error "SIGILL: illegal instruction operand".
---
 ipfw/dummynet.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipfw/dummynet.c b/ipfw/dummynet.c
index fe87d16..a9a3efa 100644
--- a/ipfw/dummynet.c
+++ b/ipfw/dummynet.c
@@ -552,15 +552,18 @@ read_bandwidth(char *arg, int *bandwidth, char *if_name, int namelen)
 		bw = strtoul(arg, &end, 0);
 		if (*end == 'K' || *end == 'k') {
 			end++;
-			bw *= 1000;
+			if (__builtin_mul_overflow (bw, 1000, &bw))
+				errx(EX_DATAERR, "bandwidth too large");
 		} else if (*end == 'M' || *end == 'm') {
 			end++;
-			bw *= 1000000;
+			if (__builtin_mul_overflow (bw, 1000000, &bw))
+				errx(EX_DATAERR, "bandwidth too large");
 		}
 		if ((*end == 'B' &&
 			_substrcmp2(end, "Bi", "Bit/s") != 0) ||
 		    _substrcmp2(end, "by", "bytes") == 0)
-			bw *= 8;
+			if (__builtin_mul_overflow (bw, 8, &bw))
+				errx(EX_DATAERR, "bandwidth too large");
 
 		if (bw < 0)
 			errx(EX_DATAERR, "bandwidth too large");