[Bug 258970] Excessive packet validation added into rev.360967 in sys/libalias breaks handling of fragmented [UDP] packets
Date: Wed, 06 Oct 2021 20:08:50 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258970 Bug ID: 258970 Summary: Excessive packet validation added into rev.360967 in sys/libalias breaks handling of fragmented [UDP] packets Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: sobomax@FreeBSD.org The extra validation added to fix some security issues in the following change broke handling of the fragmented UDP packets. I've only tested it with UDP but it might also affect TCP and ICMP as well. ---- Author: emaste Date: Tue May 12 16:33:04 2020 New Revision: 360967 URL: https://svnweb.freebsd.org/changeset/base/360967 Log: libalias: validate packet lengths before accessing headers admbugs: 956 Submitted by: ae Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Reported by: Vishnu working with Trend Micro Zero Day Initiative Security: FreeBSD-SA-20:12.libalias Modified: head/sys/netinet/libalias/alias.c ---- As a result, ng_nat (in our case) passes fragmented [UDP] packets unaliased, both first fragment and any subsequent ones. This would also affect other users of sys/libalias, not just ng_nat. -- You are receiving this mail because: You are the assignee for the bug.