The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f33973f5360792835c82b3a164e0d043e8656a4a
commit f33973f5360792835c82b3a164e0d043e8656a4a
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-02 13:00:49 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-07 15:06:50 +0000
pfctl: Anchor names must not be empty
The parser would allow bogus input and sometimes even produce invalid rules
on empty anchor names, so error out immediately.
OK sashan
Obtained from: OpenBSD, kn <k...@openbsd.org>, 85af6f4b29
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/parse.y | 5 +++++
sbin/pfctl/pfctl.c | 2 ++
2 files changed, 7 insertions(+)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 2ebd528443fe..5c6102db3b55 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -922,6 +922,11 @@ varset : STRING '=' varstring {
;
anchorname : STRING {
+ if ($1[0] == '\0') {
+ free($1);
+ yyerror("anchor name must not be empty");
+ YYERROR;
+ }
if (strlen(pf->anchor->path) + 1 +
strlen($1) >= PATH_MAX) {
free($1);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index e490e933db5f..0fb0602eb04f 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -3129,6 +3129,8 @@ main(int argc, char *argv[])
if (anchoropt != NULL) {
int len = strlen(anchoropt);
+ if (anchoropt[0] == '\0')
+ errx(1, "anchor name must not be empty");
if (mode == O_RDONLY && showopt == NULL && tblcmdopt == NULL) {
warnx("anchors apply to -f, -F, -s, and -T only");
usage();
