From nobody Wed Aug 21 12:11:52 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WplZ04WmNz5TmmX; Wed, 21 Aug 2024 12:11:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WplZ0435mz41WD; Wed, 21 Aug 2024 12:11:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724242312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SsiO5/hMGY8blXHgkQjkq2XRfW3U//e+7+8TWAtSg60=; b=deV0eFkhSpVfhpHSGYFb8+rrn79NTk5alXwcSGddIjfkORnqmGwEg7KNpmy4v5q7hrufsX O/qaWxqsg0khRHhpmWqzuDBwJA8AX2hEG6Qz9MVhacdlfnF7fFOOMCeiH4Q/NskijwoCeg ggXQe+//huCZ80oE+NSd0tRwUZWDwJUDQ3kKRkkLZ/3EmQ1LkD9xIHzjyWvC2zRUBbmBM6 8TRTp6tRQEVoAb+/f3NjUmVH7DP8dWyA97DqoCYL+t1AH7EuasUYAYCF5+BPoxtce59R34 h8DCf8R6uCR1MTQF5wdZ688+67xc5ThP5kPEfLtXfiML/6gE/+fhrU09e8wmBw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724242312; a=rsa-sha256; cv=none; b=SFa3EwlrHEono3qHfnYiNxi2iGnQaHJ+8PWD6KV4c24csQmewYjRrJFMovP39Z7qvJ3gqB KwGqIIq/brJLGxMrCJ7iTEYs6jfLEgkZ8TFS3ykiuxsiWOpNi9JFVKxCTWH2EyisALkGN5 RcpNNSCjtdkk5v6bOqpW8q9C6E09ji2u/NruXA/Zx/0jhBs42GGXil4bYse2zQ/z5KrNk5 5R4tOH3t3yD8CntPyrtynFlaNQ4Hu/J95pwW/Tgt+9bzmfn3tYA7kaD5KhTIyLvnoKAR+g FRvAKVerOyxJo6sR1kdrZeZGmiX1HpVJ/hUv3xNzV14sIbMmVXLizuQhu0/Tcg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724242312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SsiO5/hMGY8blXHgkQjkq2XRfW3U//e+7+8TWAtSg60=; b=e6Sa6TaoJPJ5j3w43P3gI89MDlLpTieH7vfL52MmDXxdhIwCoo1qQhtg1G5cGiYVJm2WKT AFPSRHJmA5NBWt3HzT4/AZAH9cp7yWCs8qKmTm1YtcuAlUsofU3beQPPAyNV/qgNUcj0Ch db3PLEt83o4JTV7PKIy+kV0uLi+vMiKhuX/VaqC5OqFAASojQpewh5ghr5PwreGZ2qimu9 7/XSdYPRwKHxH6uqaOzMovMkqWXv4n+6tlh5a4TQ6vSCOSii2thjar+aViNkxPTK75IlBs sI+oQ0gz0i3wlPBJ0w0JyLgHVXV2+A1D1d1UV9SMpaVIAWRVVMW36LFL/tNAKw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WplZ03fZgzkNr; Wed, 21 Aug 2024 12:11:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47LCBqdl045732; Wed, 21 Aug 2024 12:11:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47LCBqvY045729; Wed, 21 Aug 2024 12:11:52 GMT (envelope-from git) Date: Wed, 21 Aug 2024 12:11:52 GMT Message-Id: <202408211211.47LCBqvY045729@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: e7f9171b6738 - main - pf: Handle m_len < sizeof(struct ether_header) case List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e7f9171b6738809ded7250bc5c78368421255b1b Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e7f9171b6738809ded7250bc5c78368421255b1b commit e7f9171b6738809ded7250bc5c78368421255b1b Author: Igor Ostapenko AuthorDate: 2024-08-21 10:01:34 +0000 Commit: Kristof Provost CommitDate: 2024-08-21 12:10:03 +0000 pf: Handle m_len < sizeof(struct ether_header) case Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D46391 --- sys/netpfil/pf/pf.c | 7 +++++ tests/sys/netpfil/pf/mbuf.sh | 73 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ad2dc2e707ed..cb69d06b1fe6 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4365,6 +4365,13 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0) r = TAILQ_FIRST(rules); rm = NULL; + if (__predict_false(m->m_len < sizeof(struct ether_header)) && + (m = *m0 = m_pullup(*m0, sizeof(struct ether_header))) == NULL) { + DPFPRINTF(PF_DEBUG_URGENT, + ("pf_test_eth_rule: m_len < sizeof(struct ether_header)" + ", pullup failed\n")); + return (PF_DROP); + } e = mtod(m, struct ether_header *); proto = ntohs(e->ether_type); diff --git a/tests/sys/netpfil/pf/mbuf.sh b/tests/sys/netpfil/pf/mbuf.sh index 2dffa48ed2f5..a4664718093a 100644 --- a/tests/sys/netpfil/pf/mbuf.sh +++ b/tests/sys/netpfil/pf/mbuf.sh @@ -151,8 +151,81 @@ inet6_in_mbuf_len_cleanup() pft_cleanup } +atf_test_case "ethernet_in_mbuf_len" "cleanup" +ethernet_in_mbuf_len_head() +{ + atf_set descr 'Test that pf can handle inbound with the first mbuf with m_len < sizeof(struct ether_header)' + atf_set require.user root +} +ethernet_in_mbuf_len_body() +{ + pft_init + dummymbuf_init + + epair=$(vnet_mkepair) + epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }') + ifconfig ${epair}a 192.0.2.1/24 up + + # Set up a simple jail with one interface + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + epair_b_mac=$(jexec alcatraz ifconfig ${epair}b ether | awk '/ether/ { print $2; }') + + # Sanity check + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + + # Should be denied + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "ether block" \ + "pass" + atf_check -s not-exit:0 -o ignore ping -c1 -t1 192.0.2.2 + + # Should be allowed by from/to addresses + echo $epair_a_mac + echo $epair_b_mac + pft_set_rules alcatraz \ + "ether block" \ + "ether pass in from ${epair_a_mac} to ${epair_b_mac}" \ + "ether pass out from ${epair_b_mac} to ${epair_a_mac}" \ + "pass" + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + + # Should still work for m_len=0 + jexec alcatraz pfilctl link -i dummymbuf:ethernet ethernet + jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 0;" + atf_check_equal "0" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=1 + jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 1;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=11 + # for the simplest L2 Ethernet frame it should impact src field + jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 11;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=13 + # provided L2 Ethernet simplest header is 14 bytes long, it should impact ethertype field + jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 13;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" +} +ethernet_in_mbuf_len_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "inet_in_mbuf_len" atf_add_test_case "inet6_in_mbuf_len" + atf_add_test_case "ethernet_in_mbuf_len" }