From nobody Tue Jan 14 10:38:01 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YXQZL44ccz5kVck; Tue, 14 Jan 2025 10:38:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YXQZK6hSnz3Brc; Tue, 14 Jan 2025 10:38:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736851082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1dzz0sw2k5+YrCMEkrz6QPKgKVoup/g0ySasA71BpNI=; b=s3tHRszGUyzbashVbxwjzIHKQEK8MEEdTxKyKT6xx9gfShxJjAExkDWRV5RQ6Vrlb85AyM bOpn2BuhaTzQFKi9BkgMk+ev02F35iNXhkOkr6egcrikyw8ixcW6Hga5QCPaUjWUlfCcao KZjMBPqF4Z9t2pP++QumdTVrshbv7ownlz+HB8ImzLtNqh8Fu+naOCexjBkaKOEUvXIQXR YeuIUAHn4ypxBNY1DSqOpXKabZciaMz3lXp7D9w7q4LdXoNXVWe29/t1YmQdor9f1wgG8k ap0MY2CPBoEZmxKLLr9VSJSjXl2jOA6nrHAauE44oTsTMg+yeXUzSihdpbjS1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736851082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1dzz0sw2k5+YrCMEkrz6QPKgKVoup/g0ySasA71BpNI=; b=leeiYsJkKr1K+F2Tt7OWPceNn+7t5b2wiZQjcUv+auV6HHpE9jy5s7rUijnEGl32pNBxRy YwFITuh/Sq4m9id6/YfHbCr3gdyoNut6FXBsiYVDI5n6aYPrvUhhHsl8THlyGFghbU+q0+ otUE3h2UILbQ4bh8a8vYO7PfzDINWru9UnStXpnIhXDFc84FMuZOqnLSJOA1M/i7uPzKhE yS26XFegAZ8i5NokVLtMzWXi5ZJZ2O+1UpExmfqL5NNru+DlVjoAExv831HND1Gy9MjVDD gEyX9y14SDJ5zyOdfmMIJ01RZd1SISG1Hd5NgxM86fQEEzswd68TrGRIuXNjYQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736851082; a=rsa-sha256; cv=none; b=hBnY4H3guGZY7gAEkxlA1AU8KBOBJzcbpViZDBxDOhJQM14EFbi+YhCI3xmDggn2UytqeG iPzjZCaYiw5ZTUviTxzKWY8FElphKaNbWtZE5NUShMSqBv6ic3llqpwh0YB/jxUykqNnB3 RabYYnDG3uTbocr6M09KtB87tzm7llp6ZaBLZyQxZmBqgcAhu3Y4kisyZRZU9NUHQqBwHM uHih4bemR+WtOznx0zyZBSJyux/1eoxqroncn0B9rAyEGSkwe5NUHzDSLKZg/qKX9is8Xj ELZ1lbodoGk4t9egBM/4C75kbJi95lzmnbgZ9l0U9Ds3RaAqlyLG+qUO4Jkkvw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YXQZK65y2z1C6X; Tue, 14 Jan 2025 10:38:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50EAc1cA048462; Tue, 14 Jan 2025 10:38:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50EAc1ui048459; Tue, 14 Jan 2025 10:38:01 GMT (envelope-from git) Date: Tue, 14 Jan 2025 10:38:01 GMT Message-Id: <202501141038.50EAc1ui048459@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 5466aca1536e - main - pf: minor fixes for pf_walk_header6() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5466aca1536e45b2d327ff9ae232700ea01f30e8 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=5466aca1536e45b2d327ff9ae232700ea01f30e8 commit 5466aca1536e45b2d327ff9ae232700ea01f30e8 Author: Kristof Provost AuthorDate: 2025-01-09 13:39:20 +0000 Commit: Kristof Provost CommitDate: 2025-01-14 08:54:20 +0000 pf: minor fixes for pf_walk_header6() - Fragment offset is in network byte order. - Check for legal short fragments before calling pf_pull_hdr() to avoid bogus reason accounting. - When checking wether the protocol header is within the fragment, count the IPv6 payload length relative to the end of the IPv6 header. ok henning@ Obtained from: OpenBSD, bluhm , 3230e62590 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 11b6be239ca7..053b0b2ccb31 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9720,9 +9720,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) struct ip6_frag frag; struct ip6_ext ext; struct ip6_rthdr rthdr; + uint32_t end; int rthdr_cnt = 0; pd->off += sizeof(struct ip6_hdr); + end = pd->off + ntohs(h->ip6_plen); pd->fragoff = pd->extoff = pd->jumbolen = 0; pd->proto = h->ip6_nxt; for (;;) { @@ -9746,7 +9748,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) } pd->fragoff = pd->off; /* stop walking over non initial fragments */ - if ((frag.ip6f_offlg & IP6F_OFF_MASK) != 0) + if (htons((frag.ip6f_offlg & IP6F_OFF_MASK)) != 0) return (PF_PASS); pd->off += sizeof(frag); pd->proto = frag.ip6f_nxt; @@ -9757,14 +9759,14 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) REASON_SET(reason, PFRES_IPOPTIONS); return (PF_DROP); } + /* fragments may be short */ + if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) { + pd->off = pd->fragoff; + pd->proto = IPPROTO_FRAGMENT; + return (PF_PASS); + } if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr), NULL, reason, AF_INET6)) { - /* fragments may be short */ - if (pd->fragoff != 0) { - pd->off = pd->fragoff; - pd->proto = IPPROTO_FRAGMENT; - return (PF_PASS); - } DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short rthdr")); return (PF_DROP); } @@ -9779,15 +9781,15 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) case IPPROTO_DSTOPTS: if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext), NULL, reason, AF_INET6)) { - /* fragments may be short */ - if (pd->fragoff != 0) { - pd->off = pd->fragoff; - pd->proto = IPPROTO_FRAGMENT; - return (PF_PASS); - } DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short exthdr")); return (PF_DROP); } + /* fragments may be short */ + if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) { + pd->off = pd->fragoff; + pd->proto = IPPROTO_FRAGMENT; + return (PF_PASS); + } /* reassembly needs the ext header before the frag */ if (pd->fragoff == 0) pd->extoff = pd->off; @@ -9815,7 +9817,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) case IPPROTO_SCTP: case IPPROTO_ICMPV6: /* fragments may be short, ignore inner header then */ - if (pd->fragoff != 0 && ntohs(h->ip6_plen) < pd->off + + if (pd->fragoff != 0 && end < pd->off + (pd->proto == IPPROTO_TCP ? sizeof(struct tcphdr) : pd->proto == IPPROTO_UDP ? sizeof(struct udphdr) : pd->proto == IPPROTO_SCTP ? sizeof(struct sctphdr) :