pfctl: fix possible out-of-bounds read

Tags in $10 (filter_opts) are not guaranteed to be the maximum possible tag length, so memcpy() can end up reading outside of the allocated buffer. Use strlcpy() instead. Reported by: CheriBSD Event: Kitchener-Waterloo Hackathon 202406
VultureProject · Jun 6, 2024 · dc3ee89 · dc3ee89
1 parent 8f04209
commit dc3ee89
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
@@ -1230,7 +1230,7 @@ etherrule	: ETHER action dir quick interface bridge etherproto etherfromto l3fro
 			r.direction = $3;
 			r.quick = $4.quick;
 			if ($10.tag != NULL)
-				memcpy(&r.tagname, $10.tag, sizeof(r.tagname));
+				strlcpy(r.tagname, $10.tag, sizeof(r.tagname));
 			if ($10.match_tag)
 				if (strlcpy(r.match_tagname, $10.match_tag,
 				    PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
@@ -1240,7 +1240,7 @@ etherrule	: ETHER action dir quick interface bridge etherproto etherfromto l3fro
 				}
 			r.match_tag_not = $10.match_tag_not;
 			if ($10.queues.qname != NULL)
-				memcpy(&r.qname, $10.queues.qname, sizeof(r.qname));
+				strlcpy(r.qname, $10.queues.qname, sizeof(r.qname));
 			r.dnpipe = $10.dnpipe;
 			r.dnflags = $10.free_flags;
 			if (eth_rule_label(&r, $10.label))