From nobody Wed Sep 06 17:37:44 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RgqMX6R4lz4sQwg;
	Wed,  6 Sep 2023 17:37:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RgqMX53zkz3dtw;
	Wed,  6 Sep 2023 17:37:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1694021864;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OZZzkmf8bodthoik7OmBAI+FLB5ouXwUMo1RO35U94c=;
	b=EFnhAlL3ZG9AjkpQ5A4ZlJe+qa1Mg+oNblEcI5m1s8mmi448ZPo0/8oXJHE4WRZM+Gp588
	WeWjflFOkt2urUZmJ0PSTkfz5TTaUFXNn8jJ+Gl6pj2EfP6e9Ojzpoba9vk5aJ4UdGQ3j5
	IAqGw3ZMPeTB26Kv6caWqshD9t/tO7jun1nMN9KgxJSj29Uui1S2h19c0w/iaZBghRgQvH
	ceBR2LkAgm7sIXDwU/4w4wW8iU8FXb4CUZOJIKOrPNpOJn8Q1zcVUQAWHpeq/Eg0yzCJD1
	kaQY5vSuC8TSRvsXPFENN2LUXIc5TNKgKx/XwnA7nC322u8kyI+QtXy/Cz7cNw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694021864; a=rsa-sha256; cv=none;
	b=LQT2/D6fQ2xKEUWBlySzS2K66imikPrtLaFDLGofO5wuk5tW+a/Dx175QjH/Xwwg3fSR1h
	zmQoZCXaSy0HqFX+WcxFXmOclAwTPFDG5wWbXNHWBXcPs0dsbiUOKK8T4qvjkqaYfegzUS
	vSdfnPOFCw5TWuvNpoH8h/w5JoUXuI5bIiPkivDetYGBrrPnVGrkYGK/GL8DZuwr4o9PsV
	cMwdNHhEXxXdfHFWxcN+/iONjnv0RoCOz62W8crjt1FgNZ9IHLI2iPyhyMSn/NSPXZJypl
	1NZDIF5pFmVKzQQ76630dvaMjWoZkOqbf2tlGfpzjBsLWS0WmqqjE70K/tX5qg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1694021864;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OZZzkmf8bodthoik7OmBAI+FLB5ouXwUMo1RO35U94c=;
	b=LJ/c808o/7cxmzsYst42iLMz03jQreo4FcSb6P4CJNASvbJ4D9GZVC0M0l8oylhiQkiUgw
	y6/MTbd2idNuquea1YDQan/DjQVXCD+fIcpssobC4VN2aTQBMJpNTbhDGLCqeUBKMx78cS
	osIkq9EFDLKsov6RlaxrzVNNkcYy0+CVTSag0jbO0HRapv6dZFbTfVyLDrH96TNdh2O2Xh
	Z0zaugvjighzqlUtEPDdq1O+dqRMZb1L/Dd+Xcm+PdOjNDjBFm09CSqkhiOPM8OZ9OV7R6
	MWJ2opdMvcRWZEm+/T+NJJI6SZDj5FNwMmzlG7tFv76FG5JZD3Bfko2GDeCFEw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RgqMX35W3zB8D;
	Wed,  6 Sep 2023 17:37:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 386Hbihb086776;
	Wed, 6 Sep 2023 17:37:44 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 386HbiCT086773;
	Wed, 6 Sep 2023 17:37:44 GMT
	(envelope-from git)
Date: Wed, 6 Sep 2023 17:37:44 GMT
Message-Id: <202309061737.386HbiCT086773@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Gordon Tetlow <gordon@FreeBSD.org>
Subject: git: 0692341b263e - releng/12.4 - pf: handle multiple IPv6
  fragment headers
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: gordon
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/12.4
X-Git-Reftype: branch
X-Git-Commit: 0692341b263e1baa17f5bbbe1d957b7e94eb647b
Auto-Submitted: auto-generated

The branch releng/12.4 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=0692341b263e1baa17f5bbbe1d957b7e94eb647b

commit 0692341b263e1baa17f5bbbe1d957b7e94eb647b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-07-28 09:39:33 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-09-06 17:19:11 +0000

    pf: handle multiple IPv6 fragment headers
    
    With 'scrub fragment reassemble' if a packet contains multiple IPv6
    fragment headers we would reassemble the packet and immediately
    continue processing it.
    
    That is, we'd remove the first fragment header and expect the next
    header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if
    it's another fragment header we'd not treat the packet correctly.
    That is, we'd fail to recognise the payload and treat it as if it were
    an IPv6 fragment rather than as its actual payload.
    
    Fix this by restarting the normalisation on the reassembled packet.
    If there are multiple fragment headers drop the packet.
    
    Reported by:    Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
    Approved by:    so
    Security:       FreeBSD-SA-23:10.pf
    Security:       CVE-2023-4809
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48)
    (cherry picked from commit 8922b9ac0b48749be42689ea959e6a1664f96b12)
---
 sys/netpfil/pf/pf_norm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index ec063f82c1d9..9e936bcd1da5 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1213,6 +1213,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
 	if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len)
 		goto drop;
 
+again:
+	h = mtod(m, struct ip6_hdr *);
 	extoff = 0;
 	off = sizeof(struct ip6_hdr);
 	proto = h->ip6_nxt;
@@ -1303,6 +1305,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
 	return (PF_PASS);
 
  fragment:
+	if (pd->flags & PFDESC_IP_REAS)
+		return (PF_DROP);
 	/* Jumbo payload packets cannot be fragmented. */
 	plen = ntohs(h->ip6_plen);
 	if (plen == 0 || jumbolen)
@@ -1324,7 +1328,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
 		return (PF_DROP);
 
 	pd->flags |= PFDESC_IP_REAS;
-	return (PF_PASS);
+	goto again;
 
  shortpkt:
 	REASON_SET(reason, PFRES_SHORT);