The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=393243a38d742e54d93c9c9ddb6c8f95fc0cb72e
commit 393243a38d742e54d93c9c9ddb6c8f95fc0cb72e Author: Kristof Provost <[email protected]> AuthorDate: 2026-01-12 16:08:35 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2026-01-14 06:44:42 +0000 pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer. The current ifa_load() is not paranoid enough when it deals with information which comes from kernel. The function just ignores sa_len member in socket address returned getifaddrs(). The issue has been reported by anton@. The idea for fix here comes fromy claudio@. OK @claudio, @deraadt Obtained from: OpenBSD, sashan <[email protected]>, a48d060175 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl_parser.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 25d52f4ec823..233f5d641d2c 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1598,11 +1598,17 @@ ifa_load(void) copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr); ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask); - if (ifa->ifa_broadaddr != NULL) { + if (ifa->ifa_broadaddr != NULL && + ifa->ifa_broadaddr->sa_len != 0) { + ifa->ifa_broadaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr); } - if (ifa->ifa_dstaddr != NULL) { + if (ifa->ifa_dstaddr != NULL && + ifa->ifa_dstaddr->sa_len != 0) { + ifa->ifa_dstaddr->sa_family = + ifa->ifa_addr->sa_family; ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family; copy_satopfaddr(&n->peer, ifa->ifa_dstaddr); }
