git: 637d81c52d21 - main - pfctl: fix incorrect optimization

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 16 Sep 2024 13:05:25 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=637d81c52d2153fabbc72e2644199176e1042ab5

commit 637d81c52d2153fabbc72e2644199176e1042ab5
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-08-29 10:02:51 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-09-16 11:48:49 +0000

    pfctl: fix incorrect optimization
    
    In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
    should be folded in the parser to any, not to 10.0.0.1.  How long this bug has
    been with us is unclear.
    ok guenther mcbride
    
    Obtained from:  OpenBSD, deraadt <deraadt@openbsd.org>, e3b4bc25a0
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D46580
---
 sbin/pfctl/parse.y        | 14 +++++++++++---
 sbin/pfctl/pfctl_parser.h |  2 ++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0c551d2ef49f..55b5310b61e3 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -3572,11 +3572,13 @@ toipspec	: TO ipspec			{ $$ = $2; }
 
 host_list	: ipspec optnl			{ $$ = $1; }
 		| host_list comma ipspec optnl	{
-			if ($3 == NULL)
+			if ($1 == NULL) {
+				freehostlist($3);
 				$$ = $1;
-			else if ($1 == NULL)
+			} else if ($3 == NULL) {
+				freehostlist($1);
 				$$ = $3;
-			else {
+			} else {
 				$1->tail->next = $3;
 				$1->tail = $3->tail;
 				$$ = $1;
@@ -6270,6 +6272,12 @@ expand_skip_interface(struct node_if *interfaces)
 		return (0);
 }
 
+void
+freehostlist(struct node_host *h)
+{
+	FREE_LIST(struct node_host, h);
+}
+
 #undef FREE_LIST
 #undef LOOP_THROUGH
 
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 6de998b34e52..550005508f40 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -137,6 +137,8 @@ struct node_host {
 	struct node_host	*tail;
 };
 
+void	freehostlist(struct node_host *);
+
 struct node_mac {
 	u_int8_t	 mac[ETHER_ADDR_LEN];
 	u_int8_t	 mask[ETHER_ADDR_LEN];