Date: Wed, 14 Jan 2026 08:06:12 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 393243a38d74 - main - pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer. Message-ID: <69674e74.af7a.30c5e251@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=393243a38d742e54d93c9c9ddb6c8f95fc0cb72e commit 393243a38d742e54d93c9c9ddb6c8f95fc0cb72e Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-01-12 16:08:35 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-01-14 06:44:42 +0000 pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer. The current ifa_load() is not paranoid enough when it deals with information which comes from kernel. The function just ignores sa_len member in socket address returned getifaddrs(). The issue has been reported by anton@. The idea for fix here comes fromy claudio@. OK @claudio, @deraadt Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a48d060175 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl_parser.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 25d52f4ec823..233f5d641d2c 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1598,11 +1598,17 @@ ifa_load(void) copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr); ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask); - if (ifa->ifa_broadaddr != NULL) { + if (ifa->ifa_broadaddr != NULL && + ifa->ifa_broadaddr->sa_len != 0) { + ifa->ifa_broadaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr); } - if (ifa->ifa_dstaddr != NULL) { + if (ifa->ifa_dstaddr != NULL && + ifa->ifa_dstaddr->sa_len != 0) { + ifa->ifa_dstaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->peer, ifa->ifa_dstaddr); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69674e74.af7a.30c5e251>