git: 646b453110aa - main - pf: fix pf_ioctl_add_addr() validation

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 10 Apr 2025 13:37:18 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=646b453110aa78abef24f507e7ef4562a7109897

commit 646b453110aa78abef24f507e7ef4562a7109897
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-10 11:49:03 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-10 13:36:41 +0000

    pf: fix pf_ioctl_add_addr() validation
    
    Ensure we can only pass AF_UNSPEC, AF_INET or AF_INET6 (and only when supported
    in our kernel config).
    
    Reported-by:    syzbot+8a9ee157bfed9e6b9efc@syzkaller.appspotmail.com
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_ioctl.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 3ee5173c1313..44da2e156ce2 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2571,14 +2571,20 @@ pf_ioctl_add_addr(struct pf_nl_pooladdr *pp)
 	    pp->which != PF_RT)
 		return (EINVAL);
 
-#ifndef INET
-	if (pp->af == AF_INET)
-		return (EAFNOSUPPORT);
+	switch (pp->af) {
+#ifdef INET
+	case AF_INET:
+		/* FALLTHROUGH */
 #endif /* INET */
-#ifndef INET6
-	if (pp->af == AF_INET6)
-		return (EAFNOSUPPORT);
+#ifdef INET6
+	case AF_INET6:
+		/* FALLTHROUGH */
 #endif /* INET6 */
+	case AF_UNSPEC:
+		break;
+	default:
+		return (EAFNOSUPPORT);
+	}
 
 	if (pp->addr.addr.type != PF_ADDR_ADDRMASK &&
 	    pp->addr.addr.type != PF_ADDR_DYNIFTL &&