git: fd72bfa626bc - main - pf: ensure mbufs are long enough before we copy out IP(v6) headers

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 28 Jun 2022 08:43:42 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=fd72bfa626bcb9950eb2b057f224a7236e85e0af

commit fd72bfa626bcb9950eb2b057f224a7236e85e0af
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-06-24 07:41:00 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-28 08:31:23 +0000

    pf: ensure mbufs are long enough before we copy out IP(v6) headers
    
    This isn't likely to be an issue on real hardware (as Ethernet has a
    minimal packet length of 64 bytes), but can cause panics with short
    packets on if_epair.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 275e1fcdbeb4..94ec0645fdeb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3899,6 +3899,10 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
 	switch (proto) {
 #ifdef INET
 	case ETHERTYPE_IP: {
+		if (m_length(m, NULL) < (sizeof(struct ether_header) +
+		    sizeof(ip)))
+			return (PF_DROP);
+
 		af = AF_INET;
 		m_copydata(m, sizeof(struct ether_header), sizeof(ip),
 		    (caddr_t)&ip);
@@ -3909,6 +3913,10 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
 #endif /* INET */
 #ifdef INET6
 	case ETHERTYPE_IPV6: {
+		if (m_length(m, NULL) < (sizeof(struct ether_header) +
+		    sizeof(ip6)))
+			return (PF_DROP);
+
 		af = AF_INET6;
 		m_copydata(m, sizeof(struct ether_header), sizeof(ip6),
 		    (caddr_t)&ip6);