git: 393243a38d74 - main - pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 14 Jan 2026 08:06:12 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=393243a38d742e54d93c9c9ddb6c8f95fc0cb72e
commit 393243a38d742e54d93c9c9ddb6c8f95fc0cb72e
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-01-12 16:08:35 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-01-14 06:44:42 +0000
pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer.
The current ifa_load() is not paranoid enough when it deals with
information which comes from kernel. The function just ignores
sa_len member in socket address returned getifaddrs().
The issue has been reported by anton@. The idea for fix here comes
fromy claudio@.
OK @claudio, @deraadt
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a48d060175
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/pfctl_parser.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 25d52f4ec823..233f5d641d2c 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1598,11 +1598,17 @@ ifa_load(void)
copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr);
ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family;
copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask);
- if (ifa->ifa_broadaddr != NULL) {
+ if (ifa->ifa_broadaddr != NULL &&
+ ifa->ifa_broadaddr->sa_len != 0) {
+ ifa->ifa_broadaddr->sa_family =
+ ifa->ifa_addr->sa_family;
ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family;
copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr);
}
- if (ifa->ifa_dstaddr != NULL) {
+ if (ifa->ifa_dstaddr != NULL &&
+ ifa->ifa_dstaddr->sa_len != 0) {
+ ifa->ifa_dstaddr->sa_family =
+ ifa->ifa_addr->sa_family;
ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family;
copy_satopfaddr(&n->peer, ifa->ifa_dstaddr);
}