03bbe1e11efcd651d7ef7c83837efbe
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ba198fe8a03bbe1e11efcd651d7ef7c83837efbe

commit ba198fe8a03bbe1e11efcd651d7ef7c83837efbe
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-10-29 10:40:52 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-11-03 08:34:26 +0000

    pf: improve add state validation
    
    Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
    Add a test case to exercise this code path.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit faacc0d968816cf8714c974b6d8df6191cfb0e0d)
---
 sys/netpfil/pf/if_pfsync.c              |  3 +++
 tests/sys/netpfil/pf/ioctl/validation.c | 25 +++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index e071197f17ce..c43cb59d8705 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -475,6 +475,9 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
 
 	PF_RULES_RASSERT();
 
+	if (strnlen(sp->ifname, IFNAMSIZ) == IFNAMSIZ)
+		return (EINVAL);
+
 	if (sp->creatorid == 0) {
 		if (V_pf_status.debug >= PF_DEBUG_MISC)
 			printf("%s: invalid creator id: %08x\n", __func__,
diff --git a/tests/sys/netpfil/pf/ioctl/validation.c b/tests/sys/netpfil/pf/ioctl/validation.c
index 1ce8999dcb91..152a9678812b 100644
--- a/tests/sys/netpfil/pf/ioctl/validation.c
+++ b/tests/sys/netpfil/pf/ioctl/validation.c
@@ -32,6 +32,7 @@
 #include <net/if.h>
 #include <net/pfvar.h>
 
+#include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
 
@@ -894,6 +895,29 @@ ATF_TC_CLEANUP(rpool_mtx2, tc)
 }
 
 
+ATF_TC_WITH_CLEANUP(addstate);
+ATF_TC_HEAD(addstate, tc)
+{
+	atf_tc_set_md_var(tc, "require.user", "root");
+}
+
+ATF_TC_BODY(addstate, tc)
+{
+	struct pfioc_state st;
+
+	COMMON_HEAD();
+
+	memset(&st, 'a', sizeof(st));
+	st.state.timeout = PFTM_TCP_FIRST_PACKET;
+
+	ATF_CHECK_ERRNO(EINVAL, ioctl(dev, DIOCADDSTATE, &st) == -1);
+}
+
+ATF_TC_CLEANUP(addstate, tc)
+{
+	COMMON_CLEANUP();
+}
+
 ATF_TP_ADD_TCS(tp)
 {
 	ATF_TP_ADD_TC(tp, addtables);
@@ -918,6 +942,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, tag);
 	ATF_TP_ADD_TC(tp, rpool_mtx);
 	ATF_TP_ADD_TC(tp, rpool_mtx2);
+	ATF_TP_ADD_TC(tp, addstate);
 
 	return (atf_no_error());
 }