bin/58371: npfctl 'validate' or 'reload' can crash with crafted npf.conf

[NetBSD-gnats-web%bow.st@localhost]

>Number:         58371
>Category:       bin
>Synopsis:       npfctl 'validate' or 'reload' can crash with crafted npf.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 26 09:10:01 +0000 2024
>Originator:     Math
>Release:        10.0_BETA
>Organization:
>Environment:
NetBSD m900 10.0_BETA NetBSD 10.0_BETA (XEN3_DOM0) #0: Tue Apr 25 16:17:59 UTC 2023  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/xen/compile/XEN3_DOM0 amd64
>Description:
Given a npf.conf file as follows:

#----------------------->snip
# cat /tmp/npf.trip.conf
$ext_if = "lo0"

$lan_addrs= ifaddrs($ext_if)

group default {
    pass stateful in proto tcp to { $lan_addrs, 192.168.1.10 } port ssh 
#    pass stateful in proto tcp to { $lan_addrs } port ssh 
    pass stateful in on $ext_if from any to any port 655
}
#----------------------<snip


And running:
#----------------------->snip
# npfctl validate /tmp/npf.trip.conf
assertion "ctx->nblocks == ctx->gblock" failed: file "/usr/src/usr.sbin/npf/npfctl/npf_bpf_comp.c", line 408, function "fetch_l3"
[2]   Abort trap (core dumped) npfctl validate /tmp/npf.trip.conf
#
#----------------------<snip

The culprit seems to be variable referencing within a parenthesised list of addresses  - so for eg: the commented line doesn't seem to cause the problem.
>How-To-Repeat:
See above:
>Fix:
The npf config parser may need adjusting.