git: f33973f53607 - main - pfctl: Anchor names must not be empty

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 07 Jul 2025 15:07:58 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=f33973f5360792835c82b3a164e0d043e8656a4a

commit f33973f5360792835c82b3a164e0d043e8656a4a
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-02 13:00:49 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-07 15:06:50 +0000

    pfctl: Anchor names must not be empty
    
    The parser would allow bogus input and sometimes even produce invalid rules
    on empty anchor names, so error out immediately.
    
    OK sashan
    
    Obtained from:  OpenBSD, kn <kn@openbsd.org>, 85af6f4b29
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y | 5 +++++
 sbin/pfctl/pfctl.c | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 2ebd528443fe..5c6102db3b55 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -922,6 +922,11 @@ varset		: STRING '=' varstring	{
 		;
 
 anchorname	: STRING			{
+			if ($1[0] == '\0') {
+				free($1);
+				yyerror("anchor name must not be empty");
+				YYERROR;
+			}
 			if (strlen(pf->anchor->path) + 1 +
 			    strlen($1) >= PATH_MAX) {
 				free($1);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index e490e933db5f..0fb0602eb04f 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -3129,6 +3129,8 @@ main(int argc, char *argv[])
 	if (anchoropt != NULL) {
 		int len = strlen(anchoropt);
 
+		if (anchoropt[0] == '\0')
+			errx(1, "anchor name must not be empty");
 		if (mode == O_RDONLY && showopt == NULL && tblcmdopt == NULL) {
 			warnx("anchors apply to -f, -F, -s, and -T only");
 			usage();