Hi,
I noticed it is possible to specify an invalid netmask,
e.g. 1.1.1.1/10/20 and still get the address loaded into a table. I
conjecture this was introduced by the following change:
a7ede25358dad545e0342d2a9f8ef6ce68c6df66
Zap bits in host_v4(), use mask parameter
It looks like the author missed the path addresses are loaded by pfctl's
'-T add' command. I guess the '/20' is dropped in host() and then '/10'
is processed within host_ip() by inet_net_pton() so no error is reported.
The proposed patch is attached. For me it works:
OLD:
# pfctl -t tableta -T add 1.1.1.1/10/20
1 table created.
1/1 addresses added.
NEW:
# $PFCTL -t tableta -T add
1.1.1.1/10/20
netmask is invalid: /10/20
Petr
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index ee3c2926f1a..5737846123d 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1627,7 +1627,7 @@ host(const char *s, int opts)
if_name++;
}
- if ((p = strrchr(ps, '/')) != NULL) {
+ if ((p = strchr(ps, '/')) != NULL) {
mask = strtonum(p+1, 0, 128, &errstr);
if (errstr) {
fprintf(stderr, "netmask is %s: %s\n", errstr, p);
