git: 6c3d107653 - main - Add EN-24:16, SA-24:15, and SA-24:16. Update SA-24:05 and SA-24:09.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 19 Sep 2024 15:11:32 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=6c3d1076537608a4d7d84446fd522f2bcf680719
commit 6c3d1076537608a4d7d84446fd522f2bcf680719
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-09-19 15:07:29 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-09-19 15:07:29 +0000
Add EN-24:16, SA-24:15, and SA-24:16. Update SA-24:05 and SA-24:09.
Approved by: so
---
website/data/security/advisories.toml | 8 +
website/data/security/errata.toml | 4 +
.../security/advisories/FreeBSD-EN-24:16.pf.asc | 160 ++++++
.../security/advisories/FreeBSD-SA-24:05.pf.asc | 36 +-
.../security/advisories/FreeBSD-SA-24:09.libnv.asc | 37 +-
.../security/advisories/FreeBSD-SA-24:15.bhyve.asc | 148 +++++
.../security/advisories/FreeBSD-SA-24:16.libnv.asc | 157 ++++++
.../static/security/patches/EN-24:16/pf-13.3.patch | 628 +++++++++++++++++++++
.../security/patches/EN-24:16/pf-13.3.patch.asc | 16 +
.../static/security/patches/EN-24:16/pf-14.0.patch | 486 ++++++++++++++++
.../security/patches/EN-24:16/pf-14.0.patch.asc | 16 +
.../static/security/patches/EN-24:16/pf-14.1.patch | 384 +++++++++++++
.../security/patches/EN-24:16/pf-14.1.patch.asc | 16 +
.../static/security/patches/SA-24:15/bhyve.patch | 165 ++++++
.../security/patches/SA-24:15/bhyve.patch.asc | 16 +
.../static/security/patches/SA-24:16/libnv.patch | 11 +
.../security/patches/SA-24:16/libnv.patch.asc | 16 +
17 files changed, 2278 insertions(+), 26 deletions(-)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index fc502d85e6..b88121ea3b 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,14 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-24:16.libnv"
+date = "2024-09-19"
+
+[[advisories]]
+name = "FreeBSD-SA-24:15.bhyve"
+date = "2024-09-19"
+
[[advisories]]
name = "FreeBSD-SA-24:14.umtx"
date = "2024-09-04"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index ddd7e6e5da..83dfdc6468 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-24:16.pf"
+date = "2024-09-19"
+
[[notices]]
name = "FreeBSD-EN-24:15.calendar"
date = "2024-09-04"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:16.pf.asc b/website/static/security/advisories/FreeBSD-EN-24:16.pf.asc
new file mode 100644
index 0000000000..3c38b7cd27
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:16.pf.asc
@@ -0,0 +1,160 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:16.pf Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect ICMPv6 state handling in pf
+
+Category: core
+Module: pf
+Announced: 2024-09-19
+Affects: All supported versions of FreeBSD
+Corrected: 2024-09-04 08:53:34 UTC (stable/14, 14.1-STABLE)
+ 2024-09-19 13:02:58 UTC (releng/14.1, 14.1-RELEASE-p5)
+ 2024-09-19 13:03:30 UTC (releng/14.0, 14.0-RELEASE-p11)
+ 2024-09-04 08:53:34 UTC (stable/13, 13.4-STABLE)
+ 2024-09-05 07:35:39 UTC (releng/13.4, 13.4-RC3)
+ 2024-09-19 13:04:05 UTC (releng/13.3, 13.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+pf is an Internet Protocol packet filter originally written for OpenBSD. pf
+uses a state table to determine whether to allow a packet that is from a
+known/already open transmission. It identifies ICMPv6 states based on the
+address family, protocol, addresses, and the ID.
+
+Normally, states are created by outgoing packets, or by incoming packets
+matching 'pass' rules. Packets that do not match any rule will be blocked or
+allowed depending on the default rule.
+
+ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work
+properly in broadcast networks, such as Ethernet.
+
+II. Problem Description
+
+Patches for a previous security advisory, FreeBSD-SA-24:05, were incomplete
+and introduced some overly strict pf state tracking for ICMPv6 packets.
+
+III. Impact
+
+The bugs may prevent ICMPv6 functions, e.g., Neighbor Discovery, from working
+as designed when the pf firewall is configured.
+
+IV. Workaround
+
+No workaround is available but systems not using IPv6 and the pf firewall are
+not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 14.1]
+# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.1.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.1.patch.asc
+# gpg --verify pf-14.1.patch.asc
+
+[FreeBSD 14.0]
+# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.0.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.0.patch.asc
+# gpg --verify pf-14.0.patch.asc
+
+[FreeBSD 13.4]
+No discrete patch is provided against 13.4 as the fix for this issue was
+incorporated into 13.4-RELEASE.
+
+[FreeBSD 13.3]
+# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-13.3.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-13.3.patch.asc
+# gpg --verify pf-13.3.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 38f74de7184a stable/14-n268653
+releng/14.1/ 1e965d5399e1 releng/14.1-n267715
+releng/14.0/ 413ae023b056 releng/14.0-n265452
+stable/13/ d6e5f8643d37 stable/13-n258307
+releng/13.4/ e893ec49afb2 releng/13.4-n258254
+releng/13.3/ ea9257bcd0e1 releng/13.3-n257467
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701>
+
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:05.pf.asc>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:16.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQkACgkQbljekB8A
+Gu9jORAAw5niz67Jcjm2fP6//BNGgDTlXR+rI+Yajm3lNLqhz0xPZ7BDTZ/NINwc
+bUfEK74R8n4kBuwhfIWendmDrYveeqGhhlZZOgiQfqXJuKmg6FBmQVQruq/Njs1Y
+y1BOI/KOSyRjzB3nrq1D8HpTtj8zJdtlB3rvKbEL038BmM/AslOdQvZLq12xPyNO
+xYqOYao664IaG6kqNUtN8oE8UpY0ACQGRt8BX2izLa+MAsDyglT2K3YS3cEiGRP9
+ZdbKplcVTZuNZ2XIORXkatRLCgC5BnFu0bK9TO6iMPtciX0ZwKov79zAvl14TK++
+sZhY2bKFEq1VrvpdngjAZfWNMTysQCZIsWqsBJCMQb42Q/DY9Cxs7KK2231zKkt2
+FcKdmQro2Qiy5DIClDoZuvQitQ6hRBFaffL6yRy2Zya70gz8cok3t7iEMsB9oSr3
+BVyNYBHwD3JUkq663mO785zvSIZAxQcqvuR8Tn034ffqJEojI1eFBNaHUcKvt4q4
+Uea03m+zq6xwFH/ZzUow/FFxBC67Nzje+2y3gaCLt4oKPxMDmvP2N43wbHevoTPD
+/p4M8fki6RFzOEjc/+vAveul23dbNmbB1ssEdkG6VcqGcesdNTygei9r7j4GGJc4
+VjPmZ0emfR22lfGLGH817odQxXfb/0UYpiTuRcG1cKeU2Fv1Lg8=
+=w2vT
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
index 0c6d2b859d..aa65bb2f3c 100644
--- a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
+++ b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
@@ -24,6 +24,14 @@ For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
+Note: This advisory introduced additional issues that were addressed by
+FreeBSD-EN-24:16.pf. Please refer to that erratum for additional fixes.
+
+0. Revision History
+
+v1.0 2024-08-07 -- Initial release
+v1.1 2024-09-19 -- Add reference to EN-24:16.pf
+
I. Background
pf is an Internet Protocol packet filter originally written for OpenBSD. pf
@@ -135,21 +143,23 @@ VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6640>
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:16.pf.asc>
+
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:05.pf.asc>
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A
-Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf
-Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw
-jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW
-gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP
-AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS
-N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV
-Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI
-+vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY
-ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh
-FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF
-DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80=
-=/mRR
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsNYgACgkQbljekB8A
+Gu/+9Q/9H++Mts0NlrhE3hsCOats5GpAtsq/hRByjZx0flGwIKyIhvHh364hAWDQ
+gvdzWijlrYz86jiekM+CEpg08lkCKKm9jM22AaA2uZqIaUNgh0blenDMvAOqJc4W
+e08vmW1Q7RopuT3mjJHhqC9mU6s6B5aaAdjFfkKBRdp+BtMnTZmaH1Bx/acHx7SL
+R9WVIDUMEQVorqo1/2YnuO+LrAaiFEKkJ7YN+CS/wN2IbDaupyny1fWKffhBGu0C
+Hg/gubJuLGqlBvmDp88Mi+kxyzkw9+MbR3haS2P13FFxDj80JEhaH71hG7CAZ5xd
+1S1qv2PvpEKw8TdH249Z0YVK1aUA6h3wy6TWrQkM1YjaWzHY3XJoMq90OwluQQTI
+fw5njyLrVvYonHQLqLRv59hlC/0V9+Utpy8cvRA9d7dRf/JBarsFVhp5F7IQDLuq
+qE/vf+0lRa7WwFkr+FWfP4Cgt+I39DJFW0nybtll4eJfR5+0j+vGsaZZM973S94F
+xkqAU3xXulpQvT1qHvf7d7UY24H7Kmbzet0LNd30PrWT+uRktpZ164wHRZd96eHg
+3TXOvSTgqIzvsuxcBI0vh+5EWbTgMKOG21zSwwzbDMM1vNI/39YYJaWnNlUFH17+
+w0sm1aAF9P4vbAz7n+hxQVJFEAZwSChIfuPEuV8QKJGbpyqoDm8=
+=iMcB
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc
index 8fa9aa9e43..9c18ebdc37 100644
--- a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc
+++ b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc
@@ -26,6 +26,15 @@ For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
+Note: This advisory provided an incomplete fix for the issues described as
+CVE-2024-45287 that were further addressed by FreeBSD-SA-24:16.pf. Please
+refer to that advisory for additional fixes.
+
+0. Revision History
+
+v1.0 2024-09-04 -- Initial release
+v1.1 2024-09-19 -- Add reference to SA-24:16.libnv
+
I. Background
libnv (also called nvlist) is a general-purpose library designed for storing
@@ -138,21 +147,23 @@ VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45288>
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:16.libnv.asc>
+
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:09.libnv.asc>
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A
-Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL
-lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE
-K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS
-5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ
-ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ
-zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6
-SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT
-893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx
-5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA
-plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk
-Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ=
-=yX5r
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsNakACgkQbljekB8A
+Gu8sqBAAjveC5IbbKHX/Up8kxzM7XhSjpdTHRCPfwpcjZuAUfCd39m1LRpDTlx0O
+gJKksiC5A92rk4aj/OtRB29p6LLyc7k531tqW/3F2Zh7n7aqjKaY9G5neTcPVn3u
+7XMVyOtV6dJIUrZaG7+UXrkdUCOrTYNhCOKGoC4EKibyPcAaI0YflY8h7AY5oYVm
+KagVktjWfHp3uE7BQqc//9VTA9ZiTO6RrJ2EJus2Nd6M08FQKA2B+q4XcVBHY5oO
+n7A0eUso6IUGFFVA1bPpVV8757nlwrnaOalO37ab0Kol3eekeKmFfJez03pWUeDW
+tVohnIu3KLcmJ4HeS3aUbr83YbWAFQnvmOM10JUwz4af88RUBvAMHRu0f9hz+aVG
+1uukXL+zdK4nmFllfFjQ8+HhSF9MWsc9ZoEgR+JfekkiIV/t4yUqPo8IjaS6ysQs
+FdziZMuLsywHEnTzni2STDKXnb0MNV/8OrDtND1ihzFkX+iksapvdjHIJZJwI9Pc
+qkXEw1Q7WDKDHlK5iEzkCcTkeEe7N4oNeHjCEn1LznU2mQoreCAGPm6KDQFjN4G6
+U2/o1vJTIpxoOsHT5xJ9dk1WV/gE7C7BSWAPALNPv92v7G/Lmxf5hr4LquaswiNl
+L1C7olKkIDo+gYbRJPIA5cvxZP/YQ5WEIqHHuAT085jG1rlXbQk=
+=64kV
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:15.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:15.bhyve.asc
new file mode 100644
index 0000000000..77351dc3df
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:15.bhyve.asc
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:15.bhyve Security Advisory
+ The FreeBSD Project
+
+Topic: bhyve(8) out-of-bounds read access via XHCI emulation
+
+Category: core
+Module: bhyve
+Announced: 2024-09-19
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-09-19 12:40:17 UTC (stable/14, 14.1-STABLE)
+ 2024-09-19 13:30:18 UTC (releng/14.1, 14.1-RELEASE-p5)
+ 2024-09-19 13:30:44 UTC (releng/14.0, 14.0-RELEASE-p11)
+ 2024-09-19 12:48:52 UTC (stable/13, 13.4-STABLE)
+ 2024-09-19 13:35:06 UTC (releng/13.4, 13.4-RELEASE-p1)
+ 2024-09-19 13:35:37 UTC (releng/13.3, 13.3-RELEASE-p7)
+CVE Name: CVE-2024-41721
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bhyve(8) is a hypervisor that runs guest operating systems inside a virtual
+machine.
+
+II. Problem Description
+
+bhyve can be configured to emulate devices on a virtual USB controller (XHCI),
+such as USB tablet devices. An insufficient boundary validation in the USB
+code could lead to an out-of-bounds read on the heap, which could potentially
+lead to an arbitrary write and remote code execution.
+
+III. Impact
+
+A malicious, privileged software running in a guest VM can exploit the
+vulnerability to crash the hypervisor process or potentially achieve code
+execution on the host in the bhyve userspace process, which typically runs as
+root. Note that bhyve runs in a Capsicum sandbox, so malicious code is
+constrained by the capabilities available to the bhyve process.
+
+IV. Workaround
+
+No workaround is available, but guests that do not use XHCI emulation are not
+impacted.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Guest operating systems emulating USB devices with XHCI need to be restarted for
+the correction to be applied (i.e., their corresponding bhyve process needs to
+be terminated and started again).
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:15/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:15/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the corresponding bhyve processes, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 419da61f8203 stable/14-n268745
+releng/14.1/ 3c6c0dcb5acb releng/14.1-n267716
+releng/14.0/ ba46f1174972 releng/14.0-n265453
+stable/13/ 2abd2ad64899 stable/13-n258347
+releng/13.4/ 5f035df278cc releng/13.4-n258258
+releng/13.3/ e7a790dc3ffe releng/13.3-n257468
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The corresponding part of the security audit report as provided by Synacktiv
+will be published in due course.
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41721>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:15.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQ0ACgkQbljekB8A
+Gu/6chAAzST6xGx6RCb7MAHeZbqE3mTTUFoEkElPG3OiFsnFDySDnk0kKIjCNRbq
+GssLGYfUerFYD4/jDhGLApZnBnPhaTruNgwi38d8Pg4pkcqGv8Y5xSdOQBN83Rjq
+WiEgRqysuaE6HhvNN+JYf690M1Z6Tz0WkqoUJa8ZB8WcDnvBNQwMM0Prmo1RTZGR
+UXxftj+is3EQFUQs/3GcPRzTcp8Cu5QZnfFdbGph6Da/ZIQ6NaslYgslWvmsYHzP
+AVb/WI54VnIuMVoRIDWGtjjQa8p2H+dRih67clZYFxl2ya85aK78UrrtPk8x4dci
+9KsISpKidqC/ofdT4mHpNH3Uxx4N2ymPJG6xJ/MGmDmrIIk1vjKejy9RVSJzt4QN
+Iu1u/8d5NVXsMxbKQMEKqXY2dPFKi17S+EnhKzJUjtXeBxcMbNPh2Xcl+BmI8cZ2
+WuJvfplzu5Wcvd3LUa7s0Z3AHKktiMr1IGIlk8XEEee0b7k164imZlRUZFTCYA6S
+dNGTQ2UcHZz7W2Sk2HZf8CdNEgQQftW0BDc2IIs3lyA2WyPsIjGByUl987k3veQa
+fQCXzf7cp/a0rOZ9KngMxdJap+TBKCsPLEFm46i074ngmuoJZsW3xd7ZD8hLFlPX
+eaKh5MjWsHHfTYPRxeUKk2j9dobzN1ZP7AYWDasaDxZ4kmVIuEE=
+=FVQ2
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:16.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:16.libnv.asc
new file mode 100644
index 0000000000..751a154622
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:16.libnv.asc
@@ -0,0 +1,157 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:16.libnv Security Advisory
+ The FreeBSD Project
+
+Topic: Integer overflow in libnv
+
+Category: core
+Module: libnv
+Announced: 2024-09-19
+Credits: MiĆosz Kaniewski
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-09-15 16:59:15 UTC (stable/14, 14.1-STABLE)
+ 2024-09-19 13:30:20 UTC (releng/14.1, 14.1-RELEASE-p5)
+ 2024-09-19 13:30:45 UTC (releng/14.0, 14.0-RELEASE-p11)
+ 2024-09-15 16:59:51 UTC (stable/13, 13.4-STABLE)
+ 2024-09-19 13:35:07 UTC (releng/13.4, 13.4-RELEASE-p1)
+ 2024-09-19 13:35:38 UTC (releng/13.3, 13.3-RELEASE-p7)
+CVE Name: CVE-2024-45287
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+libnv (also called nvlist) is a general-purpose library designed for storing
+name-value pairs. This library can serve as an Inter-Process Communication
+(IPC) framework, enabling processes to exchange data. For example, it is
+used in libcasper to communicate between privileged and unprivileged
+processes. Additionally, libnv can function as an interface for communication
+between userland and kernel.
+
+Originally, libnv was inspired by OpenZFS nvlist. However, the
+implementations are separate. This advisory is only about base system
+implementation of libnv, not a OpenZFS one.
+
+II. Problem Description
+
+A malicious value of size in a structure of packed libnv can cause an integer
+overflow, leading to the allocation of a smaller buffer than required for the
+parsed data. The introduced check was incorrect, as it took into account the
+size of the pointer, not the structure. This vulnerability affects both
+kernel and userland.
+
+This issue was originally intended to be addressed as part of
+FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was not properly
+addressed.
+
+III. Impact
+
+It is possible for an attacker to overwrite portions of memory (in userland
+or the kernel) as the allocated buffer might be smaller than the data
+received from a malicious process. This vulnerability could result in
+privilege escalation or cause a system panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:16/libnv.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:16/libnv.patch.asc
+# gpg --verify libnv.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+d) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 056c50c48be3 stable/14-n268739
+releng/14.1/ f67468e6e5e2 releng/14.1-n267717
+releng/14.0/ e9d57be06e23 releng/14.0-n265454
+stable/13/ d84fced6b468 stable/13-n258342
+releng/13.4/ 2cffa6354d9f releng/13.4-n258259
+releng/13.3/ 417e81a40091 releng/13.3-n257469
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45287>
+
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:09.libnv.asc>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:16.libnv.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQ8ACgkQbljekB8A
+Gu9aMBAA1N3FliBdeklIU0XGoyrvS0z7goFpFKeLVlkIHssYzZQAWHMILHET6O9n
+Gv5vICw5vGDWv/1Rb9muCMQ4wcEW/c/YFEU0FM3VFTgJ+fQrA4ZO/NjpRSixiGDk
+uVkJ25Fo2TMp58ITPWmT3Nj1MJ0x9xNzMxXhLk2JgK/sEMH+/Giju8Zq7XojHHC0
+QluYmz1V3EClPXiArkcgt/pagQ24b5yYmOAKGQGHEdRM18QWeJzJ4kUBzATcUVjv
+RWkLHz69emH6aQ3JNwyuEQlK/Xda3ge2zMIJ4tYObg21dEFdgqnFoLFrylCUkgIE
+T86QPQfb0HGTRhnSjdh/NN5qyiOo9q4FzpIsI3eJ3XJgk0/T/O8Rv+2fexAm0g3+
+37kgkxohETi6RQc3D4ClpmW7bP1DEK8uUwUGeJgCNmkpE4DVpLmGZ0tNbSf/0Mk6
+slYSHb6dF6wNB4AV/1HIusp6i2GlPziNYkhlslkRQgeyXO9T1bWxYqdkYihDFLRs
+PStlk1Diu0p+h3r08sX3LQrszBp1bLGkqaipFPLBwWStxYne9nsClORFhN4q9i+4
+fAnWxIRBXH62fJTy1DCPFqpI9zyvQTkVHQVKu5d+JgaTmTPsfJ3MIXdkGdAEV6+m
+xbZSFwd2e8uzPIlZke2JmaT4xVv1T92lWu7Ywf8M0eEYWg5WQi8=
+=OHm5
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:16/pf-13.3.patch b/website/static/security/patches/EN-24:16/pf-13.3.patch
new file mode 100644
index 0000000000..3f657dcfdd
--- /dev/null
+++ b/website/static/security/patches/EN-24:16/pf-13.3.patch
@@ -0,0 +1,628 @@
+--- sys/net/pfvar.h.orig
++++ sys/net/pfvar.h
+@@ -330,8 +330,8 @@
+ mtx_unlock(_s->lock); \
+ } while (0)
+ #else
+-#define PF_STATE_LOCK(s) mtx_lock(s->lock)
+-#define PF_STATE_UNLOCK(s) mtx_unlock(s->lock)
++#define PF_STATE_LOCK(s) mtx_lock((s)->lock)
++#define PF_STATE_UNLOCK(s) mtx_unlock((s)->lock)
+ #endif
+
+ #ifdef INVARIANTS
+@@ -2222,7 +2222,7 @@
+ struct pf_addr *, struct pf_addr *,
+ uint16_t, uint16_t, struct pf_kanchor_stackframe *);
+
+-struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,
++struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct mbuf *, int, struct pf_addr *,
+ struct pf_addr *, u_int16_t, u_int16_t);
+ struct pf_state_key *pf_state_key_clone(struct pf_state_key *);
+
+--- sys/netpfil/pf/pf.c.orig
++++ sys/netpfil/pf/pf.c
+@@ -307,6 +307,9 @@
+ struct pfi_kkif *, struct mbuf *, void *,
+ struct pf_pdesc *, struct pf_krule **,
+ struct pf_kruleset **);
++static int pf_state_key_addr_setup(struct pf_pdesc *, struct mbuf *,
++ int, struct pf_state_key_cmp *, int, struct pf_addr *,
++ int, struct pf_addr *, int);
+ static int pf_tcp_track_full(struct pf_kstate **,
+ struct pfi_kkif *, struct mbuf *, int,
+ struct pf_pdesc *, u_short *, int *);
+@@ -320,8 +323,8 @@
+ void *, struct pf_pdesc *);
+ int pf_icmp_state_lookup(struct pf_state_key_cmp *,
+ struct pf_pdesc *, struct pf_kstate **, struct mbuf *,
+- int, struct pfi_kkif *, u_int16_t, u_int16_t,
+- int, int *, int);
++ int, int, struct pfi_kkif *, u_int16_t, u_int16_t,
++ int, int *, int, int);
+ static int pf_test_state_icmp(struct pf_kstate **, int,
+ struct pfi_kkif *, struct mbuf *, int,
+ void *, struct pf_pdesc *, u_short *);
+@@ -375,7 +378,7 @@
+ extern struct proc *pf_purge_proc;
+
+ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
+-enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK };
++enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_LINK };
+
+ #define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \
+ do { \
+@@ -1414,9 +1417,66 @@
+ return (0);
+ }
+
++static int
++pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m, int off,
++ struct pf_state_key_cmp *key, int sidx, struct pf_addr *saddr,
++ int didx, struct pf_addr *daddr, int multi)
++{
++#ifdef INET6
++ struct nd_neighbor_solicit nd;
++ struct pf_addr *target;
++ u_short action, reason;
++
++ if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6)
++ goto copy;
++
++ switch (pd->hdr.icmp6.icmp6_type) {
++ case ND_NEIGHBOR_SOLICIT:
++ if (multi)
++ return (-1);
++ if (!pf_pull_hdr(m, off, &nd, sizeof(nd), &action, &reason, pd->af))
++ return (-1);
++ target = (struct pf_addr *)&nd.nd_ns_target;
++ daddr = target;
++ break;
++ case ND_NEIGHBOR_ADVERT:
++ if (multi)
++ return (-1);
++ if (!pf_pull_hdr(m, off, &nd, sizeof(nd), &action, &reason, pd->af))
++ return (-1);
++ target = (struct pf_addr *)&nd.nd_ns_target;
++ saddr = target;
++ if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) {
++ key->addr[didx].addr32[0] = 0;
++ key->addr[didx].addr32[1] = 0;
++ key->addr[didx].addr32[2] = 0;
++ key->addr[didx].addr32[3] = 0;
++ daddr = NULL; /* overwritten */
++ }
++ break;
++ default:
++ if (multi == PF_ICMP_MULTI_LINK) {
++ key->addr[sidx].addr32[0] = IPV6_ADDR_INT32_MLL;
++ key->addr[sidx].addr32[1] = 0;
++ key->addr[sidx].addr32[2] = 0;
++ key->addr[sidx].addr32[3] = IPV6_ADDR_INT32_ONE;
++ saddr = NULL; /* overwritten */
++ }
++ }
++copy:
++#endif
++ if (saddr)
++ PF_ACPY(&key->addr[sidx], saddr, pd->af);
++ if (daddr)
++ PF_ACPY(&key->addr[didx], daddr, pd->af);
++
++ return (0);
++}
++
+ struct pf_state_key *
+-pf_state_key_setup(struct pf_pdesc *pd, struct pf_addr *saddr,
+- struct pf_addr *daddr, u_int16_t sport, u_int16_t dport)
++pf_state_key_setup(struct pf_pdesc *pd, struct mbuf *m, int off,
++ struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t sport,
++ u_int16_t dport)
+ {
+ struct pf_state_key *sk;
+
+@@ -1424,8 +1484,12 @@
+ if (sk == NULL)
+ return (NULL);
+
+- PF_ACPY(&sk->addr[pd->sidx], saddr, pd->af);
+- PF_ACPY(&sk->addr[pd->didx], daddr, pd->af);
++ if (pf_state_key_addr_setup(pd, m, off, (struct pf_state_key_cmp *)sk,
++ pd->sidx, pd->src, pd->didx, pd->dst, 0)) {
++ uma_zfree(V_pf_state_key_z, sk);
++ return (NULL);
++ }
++
+ sk->port[pd->sidx] = sport;
+ sk->port[pd->didx] = dport;
+ sk->proto = pd->proto;
+@@ -4579,7 +4643,7 @@
+ if (nr == NULL) {
+ KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p",
+ __func__, nr, sk, nk));
+- sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport);
++ sk = pf_state_key_setup(pd, m, off, pd->src, pd->dst, sport, dport);
+ if (sk == NULL)
+ goto csfailed;
+ nk = sk;
+@@ -5990,8 +6054,9 @@
+
+ int
+ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
+- struct pf_kstate **state, struct mbuf *m, int direction, struct pfi_kkif *kif,
+- u_int16_t icmpid, u_int16_t type, int icmp_dir, int *iidx, int multi)
++ struct pf_kstate **state, struct mbuf *m, int off, int direction,
++ struct pfi_kkif *kif, u_int16_t icmpid, u_int16_t type, int icmp_dir,
++ int *iidx, int multi, int inner)
+ {
+ key->af = pd->af;
+ key->proto = pd->proto;
+@@ -6004,31 +6069,19 @@
+ key->port[pd->sidx] = type;
+ key->port[pd->didx] = icmpid;
+ }
+- if (pd->af == AF_INET6 && multi != PF_ICMP_MULTI_NONE) {
+- switch (multi) {
+- case PF_ICMP_MULTI_SOLICITED:
+- key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL;
+- key->addr[pd->sidx].addr32[1] = 0;
+- key->addr[pd->sidx].addr32[2] = IPV6_ADDR_INT32_ONE;
+- key->addr[pd->sidx].addr32[3] = pd->src->addr32[3];
+- key->addr[pd->sidx].addr8[12] = 0xff;
+- break;
+- case PF_ICMP_MULTI_LINK:
+- key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL;
+- key->addr[pd->sidx].addr32[1] = 0;
+- key->addr[pd->sidx].addr32[2] = 0;
+- key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE;
+- break;
+- }
+- } else
+- PF_ACPY(&key->addr[pd->sidx], pd->src, key->af);
+- PF_ACPY(&key->addr[pd->didx], pd->dst, key->af);
++ if (pf_state_key_addr_setup(pd, m, off, key, pd->sidx, pd->src,
++ pd->didx, pd->dst, multi))
++ return (PF_DROP);
+
+ STATE_LOOKUP(kif, key, direction, *state, pd);
+
++ if ((*state)->state_flags & PFSTATE_SLOPPY)
++ return (-1);
++
+ /* Is this ICMP message flowing in right direction? */
+ if ((*state)->rule.ptr->type &&
+- (((*state)->direction == direction) ?
++ (((!inner && (*state)->direction == direction) ||
++ (inner && (*state)->direction != direction)) ?
+ PF_IN : PF_OUT) != icmp_dir) {
+ if (V_pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pf: icmp type %d in wrong direction (%d): ",
+@@ -6036,6 +6089,8 @@
+ pf_print_state(*state);
+ printf("\n");
+ }
++ PF_STATE_UNLOCK(*state);
++ *state = NULL;
+ return (PF_DROP);
+ }
+ return (-1);
+@@ -6084,19 +6139,20 @@
+ * ICMP query/reply message not related to a TCP/UDP packet.
+ * Search for an ICMP state.
+ */
+- ret = pf_icmp_state_lookup(&key, pd, state, m, pd->dir,
++ ret = pf_icmp_state_lookup(&key, pd, state, m, off, pd->dir,
+ kif, virtual_id, virtual_type, icmp_dir, &iidx,
+- PF_ICMP_MULTI_NONE);
++ PF_ICMP_MULTI_NONE, 0);
+ if (ret >= 0) {
++ MPASS(*state == NULL);
+ if (ret == PF_DROP && pd->af == AF_INET6 &&
+ icmp_dir == PF_OUT) {
+- if (*state != NULL)
+- PF_STATE_UNLOCK((*state));
+- ret = pf_icmp_state_lookup(&key, pd, state, m,
++ ret = pf_icmp_state_lookup(&key, pd, state, m, off,
+ pd->dir, kif, virtual_id, virtual_type,
+- icmp_dir, &iidx, multi);
+- if (ret >= 0)
++ icmp_dir, &iidx, multi, 0);
++ if (ret >= 0) {
++ MPASS(*state == NULL);
+ return (ret);
++ }
+ } else
+ return (ret);
+ }
+@@ -6178,6 +6234,7 @@
+ int off2 = 0;
+
+ pd2.af = pd->af;
++ pd2.dir = pd->dir;
+ /* Payload packet is from the opposite direction. */
+ pd2.sidx = (direction == PF_IN) ? 1 : 0;
+ pd2.didx = (direction == PF_IN) ? 0 : 1;
+@@ -6485,9 +6542,9 @@
+ }
+ #ifdef INET
+ case IPPROTO_ICMP: {
+- struct icmp iih;
++ struct icmp *iih = &pd2.hdr.icmp;
+
+- if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
++ if (!pf_pull_hdr(m, off2, iih, ICMP_MINLEN,
+ NULL, reason, pd2.af)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: ICMP error message too short i"
+@@ -6495,15 +6552,17 @@
+ return (PF_DROP);
+ }
+
+- icmpid = iih.icmp_id;
+- pf_icmp_mapping(&pd2, iih.icmp_type,
++ icmpid = iih->icmp_id;
++ pf_icmp_mapping(&pd2, iih->icmp_type,
+ &icmp_dir, &multi, &virtual_id, &virtual_type);
+
+- ret = pf_icmp_state_lookup(&key, &pd2, state, m,
+- pd->dir, kif, virtual_id, virtual_type,
+- icmp_dir, &iidx, PF_ICMP_MULTI_NONE);
+- if (ret >= 0)
++ ret = pf_icmp_state_lookup(&key, &pd2, state, m, off,
++ pd2.dir, kif, virtual_id, virtual_type,
++ icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
++ if (ret >= 0) {
++ MPASS(*state == NULL);
+ return (ret);
++ }
+
+ /* translate source/destination address, if necessary */
+ if ((*state)->key[PF_SK_WIRE] !=
+@@ -6514,10 +6573,10 @@
+ if (PF_ANEQ(pd2.src,
+ &nk->addr[pd2.sidx], pd2.af) ||
+ (virtual_type == htons(ICMP_ECHO) &&
+- nk->port[iidx] != iih.icmp_id))
++ nk->port[iidx] != iih->icmp_id))
+ pf_change_icmp(pd2.src,
+ (virtual_type == htons(ICMP_ECHO)) ?
+- &iih.icmp_id : NULL,
++ &iih->icmp_id : NULL,
+ daddr, &nk->addr[pd2.sidx],
+ (virtual_type == htons(ICMP_ECHO)) ?
+ nk->port[iidx] : 0, NULL,
+@@ -6533,7 +6592,7 @@
+
+ m_copyback(m, off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
+ m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
+- m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih);
++ m_copyback(m, off2, ICMP_MINLEN, (caddr_t)iih);
+ }
+ return (PF_PASS);
+ break;
+@@ -6541,9 +6600,9 @@
+ #endif /* INET */
+ #ifdef INET6
+ case IPPROTO_ICMPV6: {
+- struct icmp6_hdr iih;
++ struct icmp6_hdr *iih = &pd2.hdr.icmp6;
+
+- if (!pf_pull_hdr(m, off2, &iih,
++ if (!pf_pull_hdr(m, off2, iih,
+ sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: ICMP error message too short "
+@@ -6551,22 +6610,24 @@
+ return (PF_DROP);
+ }
*** 1491 LINES SKIPPED ***