From nobody Thu Sep 19 20:21:18 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8n3M0BjGz5XL1B; Thu, 19 Sep 2024 20:21:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8n3L68Rtz4X1x; Thu, 19 Sep 2024 20:21:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726777278; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KATDa1dX/Qw2BDisAcvT5YUMU44/psrbYzGRrTjXlHs=; b=fvs36BH/+NWEPCN8+Z/nI33WzQRzpYW1IfUxaeplnyWGmH6phuZGyDCkKTratOM+g3Zptr QT2nKoHx5NdbxY7gntcY+kghkmg1kDlZT+n1rfw5yhp2lGGDo3ubJKJb+cp0CbiMJwoWJQ J63ejOjVH7MYSkgMSUB+MUzYavx1gciDy+31JYztPjWlu2q9hfxmCjxZfd8EJV1i7C/R4W AScTXG4yuG3xtrLfDEKVVcHY9PsotW3PoijbXIzJIws7MLcVZ65diN/1HlKreMY544ZC44 o/tFKHQ195aRby8LcA9k7r67C15pQ1B0rN9B8HiQJE5e/Nt5l6mw7Borfceljw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726777278; a=rsa-sha256; cv=none; b=aXcZTdZlLLGA/f5o2T8qsWu2a6+D68kwiTC0XscW36fyJEzFqlnNcGwQnGYclQ1wXX2gdF 1NImQryDTJO86qGC+izjoTS5GhGLZ453OIPkzDykiSWgFTAy7N/B2TeBoqPvw7wANjK4Ct KGwZTq2c7mi72PSxufxmjpJknfiNbg3jnXF+lLGrh5cLf1/WHltlCBrL/1adR8C1hTbMVH 0lIlXGGezjm3je5XKTab2BiaeMyxHIQznSJZhRbx7cg9/SPECfHNprfdu8dRW7pq3Vp08B CTKZC3XVYX+vguxZMez3mfDOZ6y1Fj2uOJgDzkawRuMK7+kV3zLzaYxZ5Y2ubA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726777278; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KATDa1dX/Qw2BDisAcvT5YUMU44/psrbYzGRrTjXlHs=; b=deR569uB/WC0KqetAa0H9KNoOU/pbfrLEXd+R2bOPRfCLXwUqfKZo7R33v2snDo4NBuSoB uakDspVecw/ZuIyvroVHTqpU9qB3uaVT9z6ieyj8D0+2SXIg/2mR6I/2jrXoc6H9lUSRXr 3xnk9QmrCixubvPnzsnrpJwVJYg+70HnYJ4fBIfDg7Y9zL2NhCmv3l5DIm4HQAygFvfUrQ WKhdguNdJLuPVqs5ePwsApPgdWIu6xcRL8xCeAURsMpadb7r9AlRj2fD8oWI9nKw9BNZAb GSutQeo/Ei7zdhnEw11m0Nn11z0qw/H/tWNHEcIf7vF6EQSbwv+vYW5l/8t8zw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8n3L5l1gzKgY; Thu, 19 Sep 2024 20:21:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48JKLIhi046395; Thu, 19 Sep 2024 20:21:18 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48JKLIaH046392; Thu, 19 Sep 2024 20:21:18 GMT (envelope-from git) Date: Thu, 19 Sep 2024 20:21:18 GMT Message-Id: <202409192021.48JKLIaH046392@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 589c67771edf - main - pf: drop packets if pullup fails List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 589c67771edf71fbc14bd33f6b8b90f4f327ad25 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=589c67771edf71fbc14bd33f6b8b90f4f327ad25 commit 589c67771edf71fbc14bd33f6b8b90f4f327ad25 Author: Kristof Provost AuthorDate: 2024-09-03 08:45:37 +0000 Commit: Kristof Provost CommitDate: 2024-09-19 20:20:13 +0000 pf: drop packets if pullup fails Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46587 --- sys/netpfil/pf/pf.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 59db6fd96953..f340c76da40e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8589,8 +8589,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, struct tcphdr *th = &pd->hdr.tcp; if (!pf_pull_hdr(m, *off, th, sizeof(*th), action, - reason, AF_INET)) + reason, AF_INET)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } *hdrlen = sizeof(*th); pd->p_len = pd->tot_len - *off - (th->th_off << 2); pd->sport = &th->th_sport; @@ -8601,8 +8604,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, struct udphdr *uh = &pd->hdr.udp; if (!pf_pull_hdr(m, *off, uh, sizeof(*uh), action, - reason, AF_INET)) + reason, AF_INET)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } *hdrlen = sizeof(*uh); if (uh->uh_dport == 0 || ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off || @@ -8618,6 +8624,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, case IPPROTO_SCTP: { if (!pf_pull_hdr(m, *off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), action, reason, AF_INET)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); } *hdrlen = sizeof(pd->hdr.sctp); @@ -8639,8 +8647,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, } case IPPROTO_ICMP: { if (!pf_pull_hdr(m, *off, &pd->hdr.icmp, ICMP_MINLEN, - action, reason, AF_INET)) + action, reason, AF_INET)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } *hdrlen = ICMP_MINLEN; break; } @@ -8738,8 +8749,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, struct tcphdr *th = &pd->hdr.tcp; if (!pf_pull_hdr(m, *off, th, sizeof(*th), action, - reason, AF_INET6)) + reason, AF_INET6)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } *hdrlen = sizeof(*th); pd->p_len = pd->tot_len - *off - (th->th_off << 2); pd->sport = &th->th_sport; @@ -8750,8 +8764,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, struct udphdr *uh = &pd->hdr.udp; if (!pf_pull_hdr(m, *off, uh, sizeof(*uh), action, - reason, AF_INET6)) + reason, AF_INET6)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } *hdrlen = sizeof(*uh); if (uh->uh_dport == 0 || ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off || @@ -8767,6 +8784,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, case IPPROTO_SCTP: { if (!pf_pull_hdr(m, *off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), action, reason, AF_INET6)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); } *hdrlen = sizeof(pd->hdr.sctp); @@ -8790,8 +8809,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, size_t icmp_hlen = sizeof(struct icmp6_hdr); if (!pf_pull_hdr(m, *off, &pd->hdr.icmp6, icmp_hlen, - action, reason, AF_INET6)) + action, reason, AF_INET6)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } /* ICMP headers we look further into to match state */ switch (pd->hdr.icmp6.icmp6_type) { case MLD_LISTENER_QUERY: @@ -8805,8 +8827,11 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, } if (icmp_hlen > sizeof(struct icmp6_hdr) && !pf_pull_hdr(m, *off, &pd->hdr.icmp6, icmp_hlen, - action, reason, AF_INET6)) + action, reason, AF_INET6)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); return (-1); + } *hdrlen = icmp_hlen; break; }