The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4af4fefedd1bf14b5a27387075edde98744b722e
commit 4af4fefedd1bf14b5a27387075edde98744b722e
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-08 11:21:20 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-09 15:38:07 +0000
pf: ignore state update with invalid rtableid
It's possible for a peer to send us a state update with an rtableid we don't
support (i.e. >= net.fibs).
Drop these updates rather than potentially crashing later by setting an
invalid
fib number.
PR: 287981
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/if_pfsync.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index fdedb9424117..64cc476fb3cb 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -763,6 +763,10 @@ pfsync_state_import(union pfsync_state_union *sp, int
flags, int msg_version)
__func__, msg_version);
}
+ if (! (st->act.rtableid == -1 ||
+ (st->act.rtableid >= 0 && st->act.rtableid < rt_numfibs)))
+ goto cleanup;
+
st->id = sp->pfs_1301.id;
st->creatorid = sp->pfs_1301.creatorid;
pf_state_peer_ntoh(&sp->pfs_1301.src, &st->src);
