From d0a8694ed63d4a7d7ed3a1f490d0ab7aa3855e01 Mon Sep 17 00:00:00 2001 From: Alexandr Nedvedicky Date: Sat, 25 Nov 2017 22:26:26 +0000 Subject: - pfctl fails to handle nested 'load anchor' properly [ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ] OK bluhm@ --- sbin/pfctl/parse.y | 6 +++--- sbin/pfctl/pfctl.c | 19 ++++++++++--------- 2 files changed, 13 insertions(+), 12 deletions(-) (limited to 'sbin') diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index e1dcfbc382f..2f1cf16252a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.665 2017/11/14 22:17:41 sashan Exp $ */ +/* $OpenBSD: parse.y,v 1.666 2017/11/25 22:26:25 sashan Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -939,7 +939,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto loadrule : LOAD ANCHOR string FROM string { struct loadanchors *loadanchor; - if (strlen(pf->anchor->name) + 1 + + if (strlen(pf->anchor->path) + 1 + strlen($3) >= PATH_MAX) { yyerror("anchorname %s too long, max %u\n", $3, PATH_MAX - 1); @@ -954,7 +954,7 @@ loadrule : LOAD ANCHOR string FROM string { err(1, "loadrule: malloc"); if (pf->anchor->name[0]) snprintf(loadanchor->anchorname, PATH_MAX, - "%s/%s", pf->anchor->name, $3); + "%s/%s", pf->anchor->path, $3); else strlcpy(loadanchor->anchorname, $3, PATH_MAX); if ((loadanchor->filename = strdup($5)) == NULL) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index d6cfc132c0e..6c66aa5bb25 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.350 2017/09/26 20:23:32 sashan Exp $ */ +/* $OpenBSD: pfctl.c,v 1.351 2017/11/25 22:26:25 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1658,20 +1658,21 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, free(path); path = NULL; - /* process "load anchor" directives that might have used queues */ - if (!anchorname[0]) { + if (trans == NULL) { + /* + * process "load anchor" directives that might have used queues + */ if (pfctl_load_anchors(dev, &pf, t) == -1) ERRX("load anchors"); pfctl_clear_queues(&qspecs); pfctl_clear_queues(&rootqs); - } - if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) { - if (!anchorname[0]) - if (pfctl_load_options(&pf)) + if ((opts & PF_OPT_NOACTION) == 0) { + if (!anchorname[0] && pfctl_load_options(&pf)) goto _error; - if (pfctl_trans(dev, t, DIOCXCOMMIT, osize)) - ERR("DIOCXCOMMIT"); + if (pfctl_trans(dev, t, DIOCXCOMMIT, osize)) + ERR("DIOCXCOMMIT"); + } } return (0); -- cgit v1.2.3