pfr_fill_feedback() in sys/net/pf_table.c reads the weight field
unconditionally at line 302:
ad->pfra_weight = ((struct pfr_kentry_cost *)ke)->weight;
For PFRKE_PLAIN entries, which are allocated smaller than
pfr_kentry_cost, this reads past the allocation.
pfr_copyout_addr() already handles this correctly at lines
1373-1375 by guarding the access with a type check. Apply the
same pattern to pfr_fill_feedback.
Index: sys/net/pf_table.c
===================================================================
--- sys/net/pf_table.c
+++ sys/net/pf_table.c
@@ -299,7 +299,10 @@ pfr_fill_feedback(struct pfr_kentry_all
default:
unhandled_af(ke->pfrke_af);
}
- ad->pfra_weight = ((struct pfr_kentry_cost *)ke)->weight;
+ if (ke->pfrke_type == PFRKE_COST)
+ ad->pfra_weight = ((struct pfr_kentry_cost *)ke)->weight;
+ else
+ ad->pfra_weight = 0;
ad->pfra_af = ke->pfrke_af;
ad->pfra_net = ke->pfrke_net;
if (ke->pfrke_flags & PFRKE_FLAG_NOT)
