From nobody Fri Jul 18 09:53:06 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bk4q70Gywz625gr;
	Fri, 18 Jul 2025 09:53:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bk4q62z94z46F7;
	Fri, 18 Jul 2025 09:53:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1752832386;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=v+u/592UpXRIeubSbp4PM1KdS4hU+NbpWQ21tNe6ah0=;
	b=bbBtvimfJVwLypFmP0vkQVtmcTKtIYdhfqHn/taNn/xGK1GIMRacTJy8hMzSQ5qa5+i/sH
	vQR+35bqdWN2/AnNYQlTW2bhkg9l8O3dQ2swFYQbw6CzSkyqAH2CkeC/p41F4TaPJlzPDy
	Gsi7x8YBBMFgXXBJ2yK+gp3x/TWVnWjSPW2j2UmvOhgsz2Wlno3Pjezi/6VCqCmm1zT317
	LjTxohXHWotDm38253bJE/Z5kxItaYh/rv8u/0HJMxE/PoTiIgwYmHBRskc7GwfsJFURU5
	VOQ9PsQywPSwiXtUXyAxWS048JNWmh/96enFElymVr40pE7sKLtsJD/QVWRueA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1752832386;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=v+u/592UpXRIeubSbp4PM1KdS4hU+NbpWQ21tNe6ah0=;
	b=l59+7hXinHtmT6sWA8nuMahvCEb13/g1RFOwEDs89dlI0aiUMT6TO2S9ZaO142Aa3FOsO7
	DXil97C7xQzxNEaku8N2Zgwj0PIICe49YB2MnIgh18ZZph6cDNGdeBdMG+y3W+vLkbnqTB
	47cVCD5aVJ4h7ZSKfU5bUbCUGfO1lmASVZ40TtDvl8yW61fYBKyDAZJQIkQWdga9sExaKU
	RghKhCSEhrmdtGVckXhqheOv8NIFab9XDz+og7mmXxEV9SkK+1gl0b5+15gYUMWm5UgbL5
	ZoQKY/7462hQBcQaoilWCBAEsXMFw+aKJYc9Vl3oIZhfwimg6cr4BEr/V9F9Jg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752832386; a=rsa-sha256; cv=none;
	b=PPKZGsIKUU6g6cWSPFiQskTr1oewcfnpqMzdfRpDEoDO+IBCdYqNJXn/BfvrW+Sl/nqklU
	O7RGlZWIhiBkiudK0tWnHx6d73BxdtCW2+oP5pwom6yk4dtfxc6jU1qclRIBu8YGrswluF
	IluqJrTYi0YJrzH56qk+F4f8y+GxtTYthkfoiuEyhJJIN6JTX0P5IEtkXW0GGiGVeXpc2A
	pRsdH9BEJLhOUYUETrUJsdPMt/0cyUw81sKzUDTps9pBhXNHNTbdtIzXTTsm55zpknWeVZ
	Tfjb62OE1X/yjy7teuv6tPlhxagxKuDlKyKSQnS+K5DfNiUwUqZtowIHJDtIUA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bk4q62M8hzc8b;
	Fri, 18 Jul 2025 09:53:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56I9r6Kx046884;
	Fri, 18 Jul 2025 09:53:06 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56I9r6ck046881;
	Fri, 18 Jul 2025 09:53:06 GMT
	(envelope-from git)
Date: Fri, 18 Jul 2025 09:53:06 GMT
Message-Id: <202507180953.56I9r6ck046881@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: c3cc26afc922 - main - pf: stricter af checks for af-to
  rules
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: c3cc26afc9226d808389bca8e939f408415b72ad
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=c3cc26afc9226d808389bca8e939f408415b72ad

commit c3cc26afc9226d808389bca8e939f408415b72ad
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-09 14:48:06 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-18 07:33:29 +0000

    pf: stricter af checks for af-to rules
    
    An af-to pf rule must have an address family naf to use after
    translation.  Make stricter sanity checks in pf ioctl to avoid later
    crashes during packet processing.
    Reported-by: syzbot+0ef9190e7d0195496d0d@syzkaller.appspotmail.com
    OK sashan@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 035d4f5430
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_ioctl.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 3caa0d2e3b11..937619977fd9 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2041,6 +2041,34 @@ pf_ioctl_getrules(struct pfioc_rule *pr)
 	return (0);
 }
 
+static int
+pf_rule_checkaf(struct pf_krule *r)
+{
+	switch (r->af) {
+	case 0:
+		if (r->rule_flag & PFRULE_AFTO)
+			return (EPFNOSUPPORT);
+		break;
+	case AF_INET:
+		if ((r->rule_flag & PFRULE_AFTO) && r->naf != AF_INET6)
+			return (EPFNOSUPPORT);
+		break;
+#ifdef INET6
+	case AF_INET6:
+		if ((r->rule_flag & PFRULE_AFTO) && r->naf != AF_INET)
+			return (EPFNOSUPPORT);
+		break;
+#endif /* INET6 */
+	default:
+		return (EPFNOSUPPORT);
+	}
+
+	if ((r->rule_flag & PFRULE_AFTO) == 0 && r->naf != 0)
+		return (EPFNOSUPPORT);
+
+	return (0);
+}
+
 static int
 pf_validate_range(uint8_t op, uint16_t port[2])
 {
@@ -2073,6 +2101,8 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 
 #define	ERROUT(x)	ERROUT_FUNCTION(errout, x)
 
+	if ((error = pf_rule_checkaf(rule)))
+		ERROUT(error);
 	if (pf_validate_range(rule->src.port_op, rule->src.port))
 		ERROUT(EINVAL);
 	if (pf_validate_range(rule->dst.port_op, rule->dst.port))
@@ -3741,6 +3771,10 @@ DIOCGETRULENV_error:
 				break;
 			}
 
+			if ((error = pf_rule_checkaf(newrule))) {
+				pf_krule_free(newrule);
+				break;
+			}
 			if (newrule->ifname[0])
 				kif = pf_kkif_create(M_WAITOK);
 			pf_counter_u64_init(&newrule->evaluations, M_WAITOK);