git: 7ea14ad4db6b - main - pfctl: Unify anchor name sanity checks

[Kristof Provost]

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=7ea14ad4db6bd840c05eaa8b4ebb941c983a9424

commit 7ea14ad4db6bd840c05eaa8b4ebb941c983a9424
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-02 12:46:51 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-07 15:06:50 +0000

    pfctl: Unify anchor name sanity checks
    
    For anchor names, make `load anchor' use the same grammar as `anchor' and
    merge unique checks from both places so that anchor names are validated
    regardless of the specific rule at hand.
    
    OK sashan
    
    Obtained from:  OpenBSD, kn <k...@openbsd.org>, 0f06db3497
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0b98bd357a37..2ebd528443fe 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -921,7 +921,22 @@ varset             : STRING '=' varstring  {
                }
                ;
 
-anchorname     : STRING                        { $$ = $1; }
+anchorname     : STRING                        {
+                       if (strlen(pf->anchor->path) + 1 +
+                           strlen($1) >= PATH_MAX) {
+                               free($1);
+                               yyerror("anchor name is longer than %u",
+                                  PATH_MAX - 1);
+                               YYERROR;
+                       }
+                       if ($1[0] == '_' || strstr($1, "/_") != NULL) {
+                               free($1);
+                               yyerror("anchor names beginning with '_' "
+                                 "are reserved for internal use");
+                               YYERROR;
+                       }
+                       $$ = $1;
+               }
                | /* empty */                   { $$ = NULL; }
                ;
 
@@ -974,13 +989,6 @@ anchorrule : ANCHOR anchorname dir quick interface af 
proto fromto
                                YYERROR;
                        }
 
-                       if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) {
-                               free($2);
-                               yyerror("anchor names beginning with '_' "
-                                   "are reserved for internal use");
-                               YYERROR;
-                       }
-
                        pfctl_init_rule(&r);
 
                        if (pf->astack[pf->asd + 1]) {
@@ -1162,14 +1170,11 @@ anchorrule      : ANCHOR anchorname dir quick interface 
af proto fromto
                }
                ;
 
-loadrule       : LOAD ANCHOR string FROM string        {
+loadrule       : LOAD ANCHOR anchorname FROM string    {
                        struct loadanchors      *loadanchor;
 
-                       if (strlen(pf->anchor->path) + 1 +
-                           strlen($3) >= MAXPATHLEN) {
-                               yyerror("anchorname %s too long, max %u\n",
-                                   $3, MAXPATHLEN - 1);
-                               free($3);
+                       if ($3 == NULL) {
+                               yyerror("anchor name is missing");
                                YYERROR;
                        }
                        loadanchor = calloc(1, sizeof(struct loadanchors));