From nobody Thu Oct 10 12:37:17 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XPTmF6gHgz5Z05h; Thu, 10 Oct 2024 12:37:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XPTmF4vs3z4H5Y; Thu, 10 Oct 2024 12:37:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728563837; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NppLi33fonn8K2KL/0FlszzKceGE1XxDhLKOhw+8mKQ=; b=GVTwVdQcGDM/LNrsbXFKcw5TryRxBZc2PnDEYzSBtIMSkf7oSmAWUCrh8Ja7Fq7fnRRaaq PIlUoHePSrnQctyR0HZ8vvTJfcrJkBkneTXG1XM4T6daZZPPTCJYjXXqH1UwvUg2S+GBQo wJ5GyUUVDb/qsSY9TcewNgd3Bb1T1OJ0ZJAF/MXq+ZklPz23Te1yVjMWWd7s/86x8ldDf2 QoXTvEDG7ThHB+b/ehjYvrAwHDoiDESAwtr2RLkz6yvYD76g0qyfH5X6Cphx+AKWiGahaN WCIVKh9hQT4Ru2GDNHTk5MqCbQMWfE+xpSHAEedAWa1uS3g6IuVtXYD0sPy87Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728563837; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NppLi33fonn8K2KL/0FlszzKceGE1XxDhLKOhw+8mKQ=; b=nOr3KxyRb8VyyecqlTcrgIxZFKqtYeaWg8fVLQnKdoB8m+fJyNSa0TQ/lLnvObI60YqDre TTt6ULdeaKVbkwz1QLrQcwxpZb3fKo39NJBzUumCm9Eff8Y6l+HB7FG+Pk32xx6V+BD9fM r2+pNiJp1VMNFuxT409OAkTv3FVOZtlKxK0fA5C+6eOCMiwRRneFgQPxYSAobpso7CGbRR noOJ001yJ32fX5tn6LG0aYi+iesSe1wL1sx4r0wZZwu8rJ5y7M1bt/eSiHQKBK4Dy7rgVB jxtHgJvo8O6rTeewPZ8Yg5Itoq1mydXEqGJyZ62gRk2Qnt0Cs/yVKrzBavLmYA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728563837; a=rsa-sha256; cv=none; b=sgwFyD0mDBTgo82hca1nJkKem6SMNT7TpAKTEh1svmSK32ymeRIPINqKiJ4YYDTjEvKlM7 TBILgBt9ynbD2RGz5+HNX2zjZOGGxUq3MpZP1ybmbyCgyNpvwcicnACJCFxYp3UGSeRtsb wiKIq1CA7RgyS0sVBcZuWQhZ2HYeiZyW0pCt33dsbz2MfQxSaiqi1ak8vIroAEjqe7UWHO kbr1lz5QjuExmh+8SUw0XCe72UNxfAmZ1eBfCyuUBfpe6QjW7N1RHmR3911y+YhTOB9opB LsSqYsa+2ghyHsNFqjx43Sdd5ar1aGxj7Fs1BnS4BkWtsv/VwNK4mnvW7uio3g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XPTmF4VmFzy2N; Thu, 10 Oct 2024 12:37:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49ACbHeI006194; Thu, 10 Oct 2024 12:37:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49ACbHjv006191; Thu, 10 Oct 2024 12:37:17 GMT (envelope-from git) Date: Thu, 10 Oct 2024 12:37:17 GMT Message-Id: <202410101237.49ACbHjv006191@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 7b033960e15a - main - pf: stricter address family checks in icmp-in-icmp List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7b033960e15a998a388b1e4e84be9169b7762470 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=7b033960e15a998a388b1e4e84be9169b7762470 commit 7b033960e15a998a388b1e4e84be9169b7762470 Author: Kristof Provost AuthorDate: 2024-09-30 12:31:13 +0000 Commit: Kristof Provost CommitDate: 2024-10-10 12:10:39 +0000 pf: stricter address family checks in icmp-in-icmp If ipv4+icmp6 or ipv6+icmp packets were embedded into an icmp payload, we missed to drop them. While there, also add a reason to the corresponding check in pf_test(). ok mcbride@ claudio@ Obtained from: OpenBSD, bluhm , 7ce93f3346 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46929 --- sys/netpfil/pf/pf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index aa63c2c1d390..891c490a0b1e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7342,6 +7342,11 @@ pf_test_state_icmp(struct pf_kstate **state, struct pfi_kkif *kif, case IPPROTO_ICMP: { struct icmp *iih = &pd2.hdr.icmp; + if (pd2.af != AF_INET) { + REASON_SET(reason, PFRES_NORM); + return (PF_DROP); + } + if (!pf_pull_hdr(m, off2, iih, ICMP_MINLEN, NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, @@ -7400,6 +7405,11 @@ pf_test_state_icmp(struct pf_kstate **state, struct pfi_kkif *kif, case IPPROTO_ICMPV6: { struct icmp6_hdr *iih = &pd2.hdr.icmp6; + if (pd2.af != AF_INET6) { + REASON_SET(reason, PFRES_NORM); + return (PF_DROP); + } + if (!pf_pull_hdr(m, off2, iih, sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, @@ -9201,6 +9211,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 case IPPROTO_ICMP: { if (af != AF_INET) { action = PF_DROP; + REASON_SET(&reason, PFRES_NORM); DPFPRINTF(PF_DEBUG_MISC, ("dropping IPv6 packet with ICMPv4 payload")); goto done; @@ -9220,6 +9231,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 case IPPROTO_ICMPV6: { if (af != AF_INET6) { action = PF_DROP; + REASON_SET(&reason, PFRES_NORM); DPFPRINTF(PF_DEBUG_MISC, ("pf: dropping IPv4 packet with ICMPv6 payload\n")); goto done;