pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer.

The current ifa_load() is not paranoid enough when it deals with
information which comes from kernel. The function just ignores
sa_len member in socket address returned getifaddrs().

The issue has been reported by anton@. The idea for fix here comes
fromy claudio@.

OK @claudio, @deraadt

Obtained from:	OpenBSD, sashan <sashan@openbsd.org>, a48d060175
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2026-01-12 17:08:35 +01:00
parent 95ee802f41
commit 393243a38d
+8 -2
View File
@@ -1598,11 +1598,17 @@ ifa_load(void)
copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr);
ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family;
copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask);
if (ifa->ifa_broadaddr != NULL) {
if (ifa->ifa_broadaddr != NULL &&
ifa->ifa_broadaddr->sa_len != 0) {
ifa->ifa_broadaddr->sa_family =
ifa->ifa_addr->sa_family;
ifa->ifa_broadaddr->sa_family = ifa->ifa_addr->sa_family;
copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr);
}
if (ifa->ifa_dstaddr != NULL) {
if (ifa->ifa_dstaddr != NULL &&
ifa->ifa_dstaddr->sa_len != 0) {
ifa->ifa_dstaddr->sa_family =
ifa->ifa_addr->sa_family;
ifa->ifa_dstaddr->sa_family = ifa->ifa_addr->sa_family;
copy_satopfaddr(&n->peer, ifa->ifa_dstaddr);
}