On Wed, Apr 17, 2019 at 03:06:16PM +0200, Petr Hoffmann wrote: > I noticed pfctl crashes on segfault when anchors go too deep: Yes, I've already seen this at some point but didn't get around to fixing it properly - thanks for the reminder.
> It seems there is no check we fit into pfctl.astack[]. The attached > patch resolves this issue: Fixing the parser alone does not suffice: # echo block | pfctl -a $(jot -s/ 66) -f- # pfctl -vsA -a1 | wc -l 65 /sys/net/pf.c 160:#define PF_ANCHOR_STACK_MAX 64 This limit is not hit in my example; I have not yet spend time on this, but I think the kernel should refuse this. > diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y > index 15555e7ce21..5e19c5f39da 100644 > --- a/sbin/pfctl/parse.y > +++ b/sbin/pfctl/parse.y > @@ -846,6 +846,8 @@ pfa_anchor : '{' > > /* steping into a brace anchor */ > pf->asd++; > + if (pf->asd >= PFCTL_ANCHOR_STACK_DEPTH) > + errx(1, "pfa_anchor: anchors too deep"); This looks sane. > pf->bn++; > pf->brace = 1; >