git: fd72bfa626bc - main - pf: ensure mbufs are long enough before we copy out IP(v6) headers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Jun 2022 08:43:42 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=fd72bfa626bcb9950eb2b057f224a7236e85e0af commit fd72bfa626bcb9950eb2b057f224a7236e85e0af Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-06-24 07:41:00 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-06-28 08:31:23 +0000 pf: ensure mbufs are long enough before we copy out IP(v6) headers This isn't likely to be an issue on real hardware (as Ethernet has a minimal packet length of 64 bytes), but can cause panics with short packets on if_epair. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 275e1fcdbeb4..94ec0645fdeb 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -3899,6 +3899,10 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0) switch (proto) { #ifdef INET case ETHERTYPE_IP: { + if (m_length(m, NULL) < (sizeof(struct ether_header) + + sizeof(ip))) + return (PF_DROP); + af = AF_INET; m_copydata(m, sizeof(struct ether_header), sizeof(ip), (caddr_t)&ip); @@ -3909,6 +3913,10 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0) #endif /* INET */ #ifdef INET6 case ETHERTYPE_IPV6: { + if (m_length(m, NULL) < (sizeof(struct ether_header) + + sizeof(ip6))) + return (PF_DROP); + af = AF_INET6; m_copydata(m, sizeof(struct ether_header), sizeof(ip6), (caddr_t)&ip6);