diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-01-12 16:08:35 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-01-14 06:44:42 +0000 |
| commit | 393243a38d742e54d93c9c9ddb6c8f95fc0cb72e (patch) | |
| tree | 3c2a72511d050dec37285ea543acdffbdf0bcf84 | |
| parent | 95ee802f410f9b8afec2c3e66e524ec8ca861dae (diff) | |
pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer.
The current ifa_load() is not paranoid enough when it deals with
information which comes from kernel. The function just ignores
sa_len member in socket address returned getifaddrs().
The issue has been reported by anton@. The idea for fix here comes
fromy claudio@.
OK @claudio, @deraadt
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a48d060175
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 25d52f4ec823..233f5d641d2c 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1598,11 +1598,17 @@ ifa_load(void) copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr); ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask); - if (ifa->ifa_broadaddr != NULL) { + if (ifa->ifa_broadaddr != NULL && + ifa->ifa_broadaddr->sa_len != 0) { + ifa->ifa_broadaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr); } - if (ifa->ifa_dstaddr != NULL) { + if (ifa->ifa_dstaddr != NULL && + ifa->ifa_dstaddr->sa_len != 0) { + ifa->ifa_dstaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->peer, ifa->ifa_dstaddr); } |