The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c2d03a920ec75c431f0c6af0ad9cb6ae43e48dda
commit c2d03a920ec75c431f0c6af0ad9cb6ae43e48dda
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-08-20 14:26:00 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-09-15 09:32:33 +0000
pfctl: fix anchortypes bounds test
found by "buffer overflow 'anchortypes' 10 <= 12" smatch error
feedback and ok sashan@, ok miod@ on an earlier version
Obtained from: OpenBSD, jsg <j...@openbsd.org>, 730c5d0121
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/pfctl_parser.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index ce58e0636022..6df7af0cc574 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -853,21 +853,22 @@ print_rule(struct pfctl_rule *r, const char *anchor_call,
int verbose, int numer
if (verbose)
printf("@%d ", r->nr);
- if (r->action == PF_MATCH)
- printf("match");
- else if (r->action > PF_NORDR)
- printf("action(%d)", r->action);
- else if (anchor_call[0]) {
- p = strrchr(anchor_call, '/');
- if (p ? p[1] == '_' : anchor_call[0] == '_')
- printf("%s", anchortypes[r->action]);
- else
- printf("%s \"%s\"", anchortypes[r->action],
- anchor_call);
+ if (anchor_call[0]) {
+ if (r->action >= nitems(anchortypes)) {
+ printf("anchor(%d)", r->action);
+ } else {
+ p = strrchr(anchor_call, '/');
+ if (p ? p[1] == '_' : anchor_call[0] == '_')
+ printf("%s", anchortypes[r->action]);
+ else
+ printf("%s \"%s\"", anchortypes[r->action],
+ anchor_call);
+ }
} else {
- printf("%s", actiontypes[r->action]);
- if (r->natpass)
- printf(" pass");
+ if (r->action >= nitems(actiontypes))
+ printf("action(%d)", r->action);
+ else
+ printf("%s", actiontypes[r->action]);
}
if (r->action == PF_DROP) {
if (r->rule_flag & PFRULE_RETURN)
