From nobody Tue Aug 16 08:21:47 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M6PJC31cJz4ZrVL;
	Tue, 16 Aug 2022 08:21:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4M6PJC2YCsz3mTP;
	Tue, 16 Aug 2022 08:21:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1660638107;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JivKmlOlVowF+IWjEyfKi0HLNQaWXGk5KSzTOA/+Gic=;
	b=yOQgCG7VWEX3AmZoEV7MUZYg8QxtrenP4Fsph+xgNeYKVYWaPwFTyROauaUU2g2hBZLGU5
	bPjQOjvlChSfFupRgG3pwpYUSAsHXvl2FdV9t4pPPaLzWwwYs9ViqhX5SFN4LHk91uvdpr
	01wh3uqJq4jqQ2kZdMS7M46hAowgt0YswfsI0PQQqqdm4IHriD9jgZ60bh1WJfYlZNn4d4
	lG+JmtfNNkmWA0b2GCsU3il2MvcTtPZn9BH8EVUQVmgvjfRbqOzh4uSUFNwIjPHYwKVCAf
	yU+o2SWiBpc5GwI52cNP+Mva5Vc3k3mEg3p0cOcGMOIYBAdjJZeaDI9dLzxanA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4M6PJC1bz1z12gb;
	Tue, 16 Aug 2022 08:21:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27G8Llr0079547;
	Tue, 16 Aug 2022 08:21:47 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27G8Llt7079545;
	Tue, 16 Aug 2022 08:21:47 GMT
	(envelope-from git)
Date: Tue, 16 Aug 2022 08:21:47 GMT
Message-Id: <202208160821.27G8Llt7079545@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: =?utf-8?Q?Kornel=20Dul=C4=99ba?= <kd@FreeBSD.org>
Subject: git: c8cc66928b8b - stable/13 - icmp6: Improve validation of PMTU
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kd
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: c8cc66928b8bba07b3c50ab346035848ab685e03
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1660638107;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JivKmlOlVowF+IWjEyfKi0HLNQaWXGk5KSzTOA/+Gic=;
	b=Fvl06GSYXKRhcHOgD6ssNJ8479VUC7CqHTEWX0d4mswCd8BkhywRZu3mrf6gd0s4zkeNfL
	WjP5z3vOtJOsl2wsPPoYoUcf23yv/vWmuaUAaCEsUOPwih+MmKp1wNPEKDlsKHF2+keHIk
	VEAVpK08Q8BVTIftGyJ6R7B8WgPqnri5wY1eScG2rDatk8r/OWg0TBr1C2GtSflEfHIvi8
	Y9ptqHz+I+JIVaMCZehbuuLFAnTqm3UuFh6gTGMThdDGWwDJKN+IFmlTa3gyIg+f2zeEgZ
	nF5SuLgl/hb/J+d8zDryoN2YOP56l+i4/icve2LVpxlJf4XuSj6UERhUehJ/hA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660638107; a=rsa-sha256; cv=none;
	b=ikq5H2jTWG8QRaqHzlcTD5oeEaopgUAja7zST6awAJD3HfwzLu2hvd2ZiFVzJr6eoEAvMp
	mIOpp/JM8yupklv9zrWxu2RH/yPs0VNAWBch8RD4z8Fk1ceQhUpN0dFojaUdHICSqvKOIh
	919K/qXtAAFjNpixVwUmkTf4bxOZt6zPvZiXuILvRfsTCSbu1cwiAQgrJwJI1s/jb0/FTl
	UkBL+5nTy8+DuVtHbXQhyaQPXbMGCB/hwMDYlaP15yvH1RHJgB4mhccGq/lLFPwRMwq98h
	ZLs4YxWCdLi8hSc9KJgNQzdlAqvR06/7I8DrnpUGqEVMid4VoQvWgpTcHgfUsg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by kd:

URL: https://cgit.FreeBSD.org/src/commit/?id=c8cc66928b8bba07b3c50ab346035848ab685e03

commit c8cc66928b8bba07b3c50ab346035848ab685e03
Author:     Kornel Dulęba <kd@FreeBSD.org>
AuthorDate: 2022-08-16 08:16:50 +0000
Commit:     Kornel Dulęba <kd@FreeBSD.org>
CommitDate: 2022-08-16 08:16:50 +0000

    icmp6: Improve validation of PMTU
    
    Currently we accept any pmtu between IPV6_MMTU(1280B) and the link mtu.
    In some network topologies could allow a bad actor to perform a DOS attack.
    Contrary to IPv4 in IPv6 oversized packets are dropped, and a ICMP
    PACKET_TOO_BIG message is sent back to the sender.
    After receiving an ICMPv6 packet with pmtu bigger than the
    current one the victim will start sending frames that will be dropped
    a router with reduced MTU.
    Although it will eventually receive another message with correct pmtu,
    an attacker can still just inject their spoofed packets frequently
    enough to overwrite the correct value.
    This issue is described in detail in RFC8201, section 6.
    Fix this by checking the current pmtu, and accepting the new one only
    if it's smaller.
    
    Approved by:    mw(mentor)
    Reviewed by:    tuexen
    MFC after:      1 week
    Sponsored by:   Stormshield
    Obtained from:  Semihalf
    Differential Revision: https://reviews.freebsd.org/D35871
    
    (cherry picked from commit 82042465c3b5477fc4f44be36077eab11b6b511b)
---
 sys/netinet6/icmp6.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index f4a5574084fd..dd3444d42750 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -1113,6 +1113,7 @@ icmp6_mtudisc_update(struct ip6ctlparam *ip6cp, int validated)
 	struct mbuf *m = ip6cp->ip6c_m;	/* will be necessary for scope issue */
 	u_int mtu = ntohl(icmp6->icmp6_mtu);
 	struct in_conninfo inc;
+	uint32_t max_mtu;
 
 #if 0
 	/*
@@ -1153,7 +1154,11 @@ icmp6_mtudisc_update(struct ip6ctlparam *ip6cp, int validated)
 	if (in6_setscope(&inc.inc6_faddr, m->m_pkthdr.rcvif, NULL))
 		return;
 
-	if (mtu < tcp_maxmtu6(&inc, NULL)) {
+	max_mtu = tcp_hc_getmtu(&inc);
+	if (max_mtu == 0)
+		max_mtu = tcp_maxmtu6(&inc, NULL);
+
+	if (mtu < max_mtu) {
 		tcp_hc_updatemtu(&inc, mtu);
 		ICMP6STAT_INC(icp6s_pmtuchg);
 	}