From 1adf4b76b7ecd1118407bf5fe11b267818eadb57 Mon Sep 17 00:00:00 2001
From: mvs <mvs@openbsd.org>
Date: Fri, 17 May 2024 18:58:26 +0000
Subject: [PATCH] Fix uninitialized memory access in pfkeyv2_sysctl().

pfkeyv2_sysctl() reads the SA type from uninitialized memory if it is
not provided by the caller of sysctl(2) because of a missing length
check.

From Carsten Beckmann.

ok bluhm
---
 sys/net/pfkeyv2.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index a6a1648e991..11d948bc070 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.260 2024/01/11 14:15:11 bluhm Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.261 2024/05/17 18:58:26 mvs Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -2705,7 +2705,10 @@ pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
 	if (namelen < 1)
 		return (EINVAL);
 	w.w_op = name[0];
-	w.w_satype = name[1];
+	if (namelen >= 2)
+		w.w_satype = name[1];
+	else
+		w.w_satype = SADB_SATYPE_UNSPEC;
 	w.w_where = oldp;
 	w.w_len = oldp ? *oldlenp : 0;
 
-- 
2.20.1