git: 8e1c23341c0c - main - pf: reduce the risk of src/dst mis-use

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 28 Jun 2022 12:01:28 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8e1c23341c0c1b161f7fe9aa76ca2e399ada9f45

commit 8e1c23341c0c1b161f7fe9aa76ca2e399ada9f45
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-06-23 09:11:55 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-28 12:01:07 +0000

    pf: reduce the risk of src/dst mis-use
    
    NULL out src/dst and check them rather than relying of 'af' to indicate
    these variables are valid.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D35573
---
 sys/netpfil/pf/pf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 94ec0645fdeb..d9664404e6e3 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3860,7 +3860,7 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
 	struct pf_keth_ruleset *ruleset = NULL;
 	struct pf_mtag *mtag;
 	struct pf_keth_ruleq *rules;
-	struct pf_addr *src, *dst;
+	struct pf_addr *src = NULL, *dst = NULL;
 	sa_family_t af = 0;
 	uint16_t proto;
 	int asd = 0, match = 0;
@@ -3958,13 +3958,13 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
 			    "dst");
 			r = TAILQ_NEXT(r, entries);
 		}
-		else if (af != 0 && PF_MISMATCHAW(&r->ipsrc.addr, src, af,
+		else if (src != NULL && PF_MISMATCHAW(&r->ipsrc.addr, src, af,
 		    r->ipsrc.neg, kif, M_GETFIB(m))) {
 			SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
 			    "ip_src");
 			r = TAILQ_NEXT(r, entries);
 		}
-		else if (af != 0 && PF_MISMATCHAW(&r->ipdst.addr, dst, af,
+		else if (dst != NULL && PF_MISMATCHAW(&r->ipdst.addr, dst, af,
 		    r->ipdst.neg, kif, M_GETFIB(m))) {
 			SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
 			    "ip_dst");