Date: Mon, 7 Jul 2025 15:07:58 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: f33973f53607 - main - pfctl: Anchor names must not be empty Message-ID: <202507071507.567F7wJm016693@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=f33973f5360792835c82b3a164e0d043e8656a4a commit f33973f5360792835c82b3a164e0d043e8656a4a Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-07-02 13:00:49 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-07-07 15:06:50 +0000 pfctl: Anchor names must not be empty The parser would allow bogus input and sometimes even produce invalid rules on empty anchor names, so error out immediately. OK sashan Obtained from: OpenBSD, kn <kn@openbsd.org>, 85af6f4b29 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 5 +++++ sbin/pfctl/pfctl.c | 2 ++ 2 files changed, 7 insertions(+) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 2ebd528443fe..5c6102db3b55 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -922,6 +922,11 @@ varset : STRING '=' varstring { ; anchorname : STRING { + if ($1[0] == '\0') { + free($1); + yyerror("anchor name must not be empty"); + YYERROR; + } if (strlen(pf->anchor->path) + 1 + strlen($1) >= PATH_MAX) { free($1); diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index e490e933db5f..0fb0602eb04f 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -3129,6 +3129,8 @@ main(int argc, char *argv[]) if (anchoropt != NULL) { int len = strlen(anchoropt); + if (anchoropt[0] == '\0') + errx(1, "anchor name must not be empty"); if (mode == O_RDONLY && showopt == NULL && tblcmdopt == NULL) { warnx("anchors apply to -f, -F, -s, and -T only"); usage();
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507071507.567F7wJm016693>