git: 7bad06cd0d8b - stable/13 - tcp: always set tcp_tun_port to a correct value

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Tue, 02 Jan 2024 19:07:23 UTC
The branch stable/13 has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=7bad06cd0d8bf63a47cee1b209fd6c1864fb2da5

commit 7bad06cd0d8bf63a47cee1b209fd6c1864fb2da5
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-12-19 19:24:17 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2024-01-02 19:07:15 +0000

    tcp: always set tcp_tun_port to a correct value
    
    The tcp_tun_port field that is used to pass port value between UDP
    and TCP in case of tunneling is a generic field that used to pass
    data between network layers.  It can be contaminated on entry, e.g.
    by a VLAN tag set by a NIC driver.  Explicily set it, so that it
    is zeroed out in a normal not-tunneled TCP.  If it contains garbage,
    tcp_twcheck() later can enter wrong block of code and treat the packet
    as incorrectly tunneled one.  On main and stable/14 that will end up
    with sending incorrect responses, but on stable/13 with ipfw(8) and
    pcb-matching rules it may end up in a panic.
    
    This is a minimal conservative patch to be merged to stable branches.
    Later we may redesign this.
    
    PR:                     275169
    Reviewed by:            tuexen
    Differential Revision:  https://reviews.freebsd.org/D43065
    
    (cherry picked from commit 513f2e2e7180202167ca2963d815d2a4c3ac0af9)
---
 sys/netinet/tcp_input.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index d3145881ecf9..9a5b9b05f210 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -690,6 +690,7 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port)
 	to.to_flags = 0;
 	TCPSTAT_INC(tcps_rcvtotal);
 
+	m->m_pkthdr.tcp_tun_port = port;
 #ifdef INET6
 	if (isipv6) {
 		ip6 = mtod(m, struct ip6_hdr *);