From 50e3c2fee82e11be496cc1550879bffa59ff1468 Mon Sep 17 00:00:00 2001
From: kn <kn@openbsd.org>
Date: Wed, 11 Jul 2018 18:06:25 +0000
Subject: [PATCH] Prevent invalid interface specifiers on queue rules

pf.conf(5) states that queues attach to actual interfaces only, yet the
following parses:

	# echo queue eq on egress bandwidth 1G default | pfctl -f-
	# pfctl -sq
	pfctl: DIOCGETQSTATS: Bad file descriptor

	# echo queue rq on rdomain 0 bandwidth 1G default | pfctl -vf-
	queue rq bandwidth 1G default
	# pfctl -sq
	pfctl: DIOCGETQSTATS: Bad file descriptor

On rdomains, ifa_exists() returns NULL.
On interface groups, ifa_exists() returns non-NULL but af is never set
to AF_LINK.

OK henning sashan
---
 sbin/pfctl/parse.y | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0dfe9c67c86..949613f0e2a 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.679 2018/07/11 07:39:22 krw Exp $	*/
+/*	$OpenBSD: parse.y,v 1.680 2018/07/11 18:06:25 kn Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1326,12 +1326,20 @@ table_host_list	: tablespec optnl			{ $$ = $1; }
 		}
 		;
 
-queuespec	: QUEUE STRING interface queue_opts		{
-			if ($3 == NULL && $4.parent == NULL) {
+queuespec	: QUEUE STRING ON if_item queue_opts		{
+			struct node_host	*n;
+
+			if ($4 == NULL && $5.parent == NULL) {
 				yyerror("root queue without interface");
 				YYERROR;
 			}
-			expand_queue($2, $3, &$4);
+			if ((n = ifa_exists($4->ifname)) == NULL ||
+			    n->af != AF_LINK) {
+				yyerror("not an interface");
+				YYERROR;
+			}
+
+			expand_queue($2, $4, &$5);
 		}
 		;
 
-- 
2.20.1