The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=beb3c25d42a885f58f77dd36e1a31199c79fbd82
commit beb3c25d42a885f58f77dd36e1a31199c79fbd82
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-02 13:18:20 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-07 15:06:50 +0000
pfctl: Fail on invalid netmasks when filling tables
Fix a regression of revision 1.326 "Zap v4mask and v6mask in host()" which
allowed CIDR networks with more than one "/" to be loaded into tables.
I took care of this code path with regard to rules coming the ruleset
parser, which aborts earlier on such invalid specifications, but missed
`-T add 1/2/3' and the like.
Analyzed and fixed by Petr Hoffmann <petr dot hoffmann at oracle dot com>,
thanks!
OK deraadt
Obtained from: OpenBSD, kn <k...@openbsd.org>, dfaca1426d
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/pfctl_parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index a213487fb648..26a213c3ffd9 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1794,7 +1794,7 @@ host(const char *s, int opts)
char *p, *ps;
const char *errstr;
- if ((p = strrchr(s, '/')) != NULL) {
+ if ((p = strchr(s, '/')) != NULL) {
mask = strtonum(p+1, 0, 128, &errstr);
if (errstr) {
fprintf(stderr, "netmask is %s: %s\n", errstr, p);
