From: Avinash Duduskar Subject: authpf: fix dead whitespace-trim loop in read_config To: tech@openbsd.org Date: Fri, 17 Jul 2026 16:29:50 +0530 read_config() tries to strip trailing whitespace from an authpf.conf value, but the loop begins at the NUL terminator, so it never runs and the whitespace is kept. A line like "anchor=authpf " then loads the session's rules under the anchor "authpf ", which the "authpf/*" anchor in pf.conf never evaluates. A line like "table=authpf_users " asks the kernel to add the address to a table that does not exist: DIOCRADDADDRS returns ESRCH, and change_table() ignores it. Either way authpf tells the user they are authenticated and then passes none of the traffic it was supposed to allow, and no error is logged. Start at the last character, and test the bound before dereferencing. Tested on -current. With the trailing space, an authenticated session leaves empty and its traffic blocked, and "pfctl -sA" shows where the rules actually went: authpf authpf authpf /testuser(44922) With the diff the same authpf.conf behaves like one without the space; reverting it brings the failure back. diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index bc410c0631c..3984e4d78d2 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -396,8 +396,8 @@ read_config(FILE *f) if (ap != &pair[2]) goto parse_error; - tp = pair[1] + strlen(pair[1]); - while ((*tp == ' ' || *tp == '\t') && tp >= pair[1]) + tp = pair[1] + strlen(pair[1]) - 1; + while (tp >= pair[1] && (*tp == ' ' || *tp == '\t')) *tp-- = '\0'; if (strcasecmp(pair[0], "anchor") == 0) {