diff options
| author |   dhartmei <dhartmei@openbsd.org> | 2006-07-21 01:21:17 +0000 |
|---|---|---|
| committer | dhartmei <dhartmei@openbsd.org> | 2006-07-21 01:21:17 +0000 |
| commit | b8106c7901e67055ace69817e697d6c236432ada (patch) | |
| tree | 486045b739faed6b5cd295f9db590e0497784bd0 | |
| parent | Revert; keywords did not expand. (diff) | |
| download | wireguard-openbsd-b8106c7901e67055ace69817e697d6c236432ada.tar.xz wireguard-openbsd-b8106c7901e67055ace69817e697d6c236432ada.zip | |
fix a bug in the input sanity check of DIOCCHANGERULE (not used by pfctl,
but third-party tools). a rule must have a non-empty replacement address
list when it's a translation rule but not an anchor call (i.e. "nat ... ->"
needs a replacement address, but "nat-anchor ..." doesn't). the check
confused "rule is an anchor call" with "rule is defined within an anchor".
report from Michal Mertl, Max Laier.
| -rw-r--r-- | sys/net/pf_ioctl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 5eebce9d22c..b24f99a83ae 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.167 2006/07/06 13:25:40 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.168 2006/07/21 01:21:17 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1683,7 +1683,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) (newrule->action == PF_RDR) || (newrule->action == PF_BINAT) || (newrule->rt > PF_FASTROUTE)) && - !pcr->anchor[0])) && + !newrule->anchor)) && (TAILQ_FIRST(&newrule->rpool.list) == NULL)) error = EINVAL; |