From nobody Mon Oct 02 09:33:24 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RzbNh6qlJz4vrN7; Mon, 2 Oct 2023 09:33:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RzbNh5Ygqz4Sch; Mon, 2 Oct 2023 09:33:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696239204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zIKmixR3TY9b7zaRNgCONT5rP20JLfbJ9t1+p3Hy8NE=; b=kmPK0q7kG9+BoL5buUnTJqg2BqhjrmNQ2GsXacyFiRt1P3VyHwKFnIZwQ0lOVoxwFL6jlg xTzGCkgq3PHEdZ6ivUL3TQZcq8oMSB1XANnWgrpzwn1JlehPlcJ0f8Jh1w/I4EVN+Q0Jna U7NNeOLidxMNfnnjJWlW+eXe8B4bpyHEj0h5kp/cbPC711k1SZpONrEMJTYBeoPFgrjix3 H4yR7wOERRUPZ4rOuH1F+LXjlr9wRsws4+O4SEUUv/S5i2nPaDlcH9UlWvZ3QkLaqlpdmU KzytOTTWqdp2831Ds/HrhpLb2fmh1sw+Yb8iE1mV/vE0zaAqpiMvBNeyG5EK0w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696239204; a=rsa-sha256; cv=none; b=wV8CIjmtudztcD22UkwlelguzLjhNcChZip2fO+nxy/9JEI2H0eVNhzspNCvjc103KW3i9 6b6fae5PPhBk9I+7IPEDAdrjju2h/K492xoz/oSrReODY9LPSqsElpqEz0jVGZ2Ptk0t8A Uf9qMnwypqeL6Rr+LYT7/gzF0zINKmqGBgZP4nWyQ2kEQc2ST5JNXuW+kXOR+VPDeTWVft tvEU1kewpCun6WtRCgSiPW/Yufl3d+POG5x9kKCfJ4e1I7KMwPdFSRPKEG9QAxs1oa1UU2 qXj4hixbS8X/K2H5GhZntLcMSTXbJTuAYUBqQ4nNWFWaFeZDxAjxTiv63Sn4FQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696239204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zIKmixR3TY9b7zaRNgCONT5rP20JLfbJ9t1+p3Hy8NE=; b=O7gAhLk/WTyVok52LNhZpIs9EfXSgik+hNvubjJyIACOj1nFUmFXEMQA88T/HxAhnfpRPm gEFb5tDVCIDFlm5/zU4EBjbGYt7cZKhXmYYyOqqaveVH2TpCpQFltyAnbH3hSVrSgvsJWe 9rCuonbrBjRzfPzAzrWArzPR2m1DFvUTkpA7AOtxQHLmkz93wU34Jt9Gc6EhQ8gzjry9OE i11iz6VLlvo2FscECd0YmhzQw1+16O2TbDJ5dw3+TKxMsZOC8hh37ewNwV9KsA2m8hAoCM A4CUlw1aKFg+ZrhhasUnBuXf1loBVPW8i7XC/tJ8ej8Brc/Vyitoc+RLax041Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RzbNh4dhRz16CB; Mon, 2 Oct 2023 09:33:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3929XOxu002856; Mon, 2 Oct 2023 09:33:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3929XOVl002853; Mon, 2 Oct 2023 09:33:24 GMT (envelope-from git) Date: Mon, 2 Oct 2023 09:33:24 GMT Message-Id: <202310020933.3929XOVl002853@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 48172aad8143 - stable/14 - pf: improve SCTP state validation List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 48172aad8143d72fa2af363f4b6da0bf1c522789 Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=48172aad8143d72fa2af363f4b6da0bf1c522789 commit 48172aad8143d72fa2af363f4b6da0bf1c522789 Author: Kristof Provost AuthorDate: 2023-09-01 11:33:56 +0000 Commit: Kristof Provost CommitDate: 2023-10-02 09:32:14 +0000 pf: improve SCTP state validation Only create new states for INIT chunks, or when we're creating a secondary state for a multihomed association. Store and verify verification tag. MFC after: 3 weeks Sponsored by: Orange Business Services (cherry picked from commit 51a78dd2764beabfd19a58b8a8b04387a547f02e) --- sys/net/pfvar.h | 8 +++++++- sys/netpfil/pf/pf.c | 25 +++++++++++++++---------- sys/netpfil/pf/pf_norm.c | 17 +++++++++++++++++ 3 files changed, 39 insertions(+), 11 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index ec72c1079c70..a8567ab74fe3 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -900,7 +900,10 @@ struct pf_state_scrub { #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ u_int8_t pfss_ttl; /* stashed TTL */ u_int8_t pad; - u_int32_t pfss_ts_mod; /* timestamp modulation */ + union { + u_int32_t pfss_ts_mod; /* timestamp modulation */ + u_int32_t pfss_v_tag; /* SCTP verification tag */ + }; }; struct pf_state_host { @@ -1583,6 +1586,7 @@ struct pf_pdesc { #define PFDESC_SCTP_DATA 0x0040 #define PFDESC_SCTP_ASCONF 0x0080 #define PFDESC_SCTP_OTHER 0x0100 +#define PFDESC_SCTP_ADD_IP 0x0200 u_int16_t sctp_flags; u_int32_t sctp_initiate_tag; @@ -2301,6 +2305,8 @@ int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, u_short *, struct tcphdr *, struct pf_kstate *, struct pf_state_peer *, struct pf_state_peer *, int *); +int pf_normalize_sctp_init(struct mbuf *, int, struct pf_pdesc *, + struct pf_state_peer *, struct pf_state_peer *); int pf_normalize_sctp(int, struct pfi_kkif *, struct mbuf *, int, int, void *, struct pf_pdesc *); u_int32_t diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 69373b720ad9..8958579b7e63 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4904,11 +4904,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, if (s->state_flags & PFSTATE_SCRUB_TCP && pf_normalize_tcp_init(m, off, pd, th, &s->src, &s->dst)) { REASON_SET(&reason, PFRES_MEMORY); - pf_src_tree_remove_state(s); - s->timeout = PFTM_UNLINKED; - STATE_DEC_COUNTERS(s); - pf_free_state(s); - return (PF_DROP); + goto drop; } if (s->state_flags & PFSTATE_SCRUB_TCP && s->src.scrub && pf_normalize_tcp_stateful(m, off, pd, &reason, th, s, @@ -4917,12 +4913,13 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, DPFPRINTF(PF_DEBUG_URGENT, ("pf_normalize_tcp_stateful failed on first " "pkt\n")); - pf_src_tree_remove_state(s); - s->timeout = PFTM_UNLINKED; - STATE_DEC_COUNTERS(s); - pf_free_state(s); - return (PF_DROP); + goto drop; } + } else if (pd->proto == IPPROTO_SCTP) { + if (pf_normalize_sctp_init(m, off, pd, &s->src, &s->dst)) + goto drop; + if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP))) + goto drop; } s->direction = pd->dir; @@ -5890,6 +5887,13 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, } } + if (src->scrub != NULL) { + if (src->scrub->pfss_v_tag == 0) { + src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag; + } else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag) + return (PF_DROP); + } + (*state)->expire = time_uptime; /* translate source/destination address, if necessary */ @@ -5930,6 +5934,7 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif, TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) { PF_RULES_RLOCK(); + j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP; action = pf_test_rule(&r, &sm, kif, j->m, off, &j->pd, &ra, &rs, NULL); PF_RULES_RUNLOCK(); diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 83b94db87a19..d63cf0ebe54e 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1565,11 +1565,28 @@ pf_normalize_tcp_init(struct mbuf *m, int off, struct pf_pdesc *pd, void pf_normalize_tcp_cleanup(struct pf_kstate *state) { + /* XXX Note: this also cleans up SCTP. */ uma_zfree(V_pf_state_scrub_z, state->src.scrub); uma_zfree(V_pf_state_scrub_z, state->dst.scrub); /* Someday... flush the TCP segment reassembly descriptors. */ } +int +pf_normalize_sctp_init(struct mbuf *m, int off, struct pf_pdesc *pd, + struct pf_state_peer *src, struct pf_state_peer *dst) +{ + src->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT); + if (src->scrub == NULL) + return (1); + + dst->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT); + if (dst->scrub == NULL) { + uma_zfree(V_pf_state_scrub_z, src); + return (1); + } + + return (0); +} int pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,