From c4bb3d1012585e08f4c8d1225c9db9793f351718 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Sat, 17 May 2014 08:12:53 +0000
Subject: [PATCH] When parsing a numerical value for the TOS bits, make sure
 that it is in a valid range. OK henning@

---
 sbin/pfctl/parse.y | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 257aee4d70a..463aa1c451e 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.632 2014/04/19 14:22:32 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.633 2014/05/17 08:12:53 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -3211,13 +3211,18 @@ icmp6type	: STRING			{
 
 tos	: STRING			{
 			int val;
+			char *end;
+
 			if (map_tos($1, &val))
 				$$ = val;
-			else if ($1[0] == '0' && $1[1] == 'x')
-				$$ = strtoul($1, NULL, 16);
-			else
+			else if ($1[0] == '0' && $1[1] == 'x') {
+				errno = 0;
+				$$ = strtoul($1, &end, 16);
+				if (errno || *end != '\0')
+					$$ = 256;
+			} else
 				$$ = 256;		/* flag bad argument */
-			if ($$ > 255) {
+			if ($$ < 0 || $$ > 255) {
 				yyerror("illegal tos value %s", $1);
 				free($1);
 				YYERROR;
@@ -3226,8 +3231,8 @@ tos	: STRING			{
 		}
 		| NUMBER			{
 			$$ = $1;
-			if ($$ > 255) {
-				yyerror("illegal tos value %lu", $1);
+			if ($$ < 0 || $$ > 255) {
+				yyerror("illegal tos value %lld", $1);
 				YYERROR;
 			}
 		}
-- 
2.20.1