diff options
author | Jessica Clarke <jrtc27@FreeBSD.org> | 2022-05-22 08:31:42 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2022-05-22 08:31:42 +0000 |
commit | 298663855015c1eba7ccf5b88168f433653eb609 (patch) | |
tree | 31b3be28fbbfb99cb04d2d438879aa871c06a4e6 | |
parent | d94358e29d1eacab17e9992ad91decb1b84b9449 (diff) | |
download | src-298663855015c1eba7ccf5b88168f433653eb609.tar.gz src-298663855015c1eba7ccf5b88168f433653eb609.zip |
pfctl: fix out-of-bounds access
If pfctl is called with "pfctl -a ''" we read outside of the anchoropt
buffer. Check that the buffer is sufficiently long to avoid that.
Maintain the existing (and desired, because it's used as such in
/etc/periodic/security/520.pfdenied) behaviour of treating "-a ''" as a
request for the root anchor (or no anchor specified).
PR: 264128
Reviewed by: kp
-rw-r--r-- | sbin/pfctl/pfctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index a1f8e5fedd4c..93d26e53d71d 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2864,7 +2864,7 @@ main(int argc, char *argv[]) if (anchoropt != NULL) { int len = strlen(anchoropt); - if (anchoropt[len - 1] == '*') { + if (len >= 1 && anchoropt[len - 1] == '*') { if (len >= 2 && anchoropt[len - 2] == '/') anchoropt[len - 2] = '\0'; else |