[Bug 258970] Excessive packet validation added into rev.360967 in sys/libalias breaks handling of fragmented [UDP] packets

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 06 Oct 2021 20:08:50 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258970

            Bug ID: 258970
           Summary: Excessive packet validation added into rev.360967 in
                    sys/libalias breaks handling of fragmented [UDP]
                    packets
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: sobomax@FreeBSD.org

The extra validation added to fix some security issues in the following change
broke handling of the fragmented UDP packets. I've only tested it with UDP but
it might also affect TCP and ICMP as well.

----
Author: emaste
Date: Tue May 12 16:33:04 2020
New Revision: 360967
URL: https://svnweb.freebsd.org/changeset/base/360967

Log:
  libalias: validate packet lengths before accessing headers

  admbugs:      956
  Submitted by: ae
  Reported by:  Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
  Reported by:  Vishnu working with Trend Micro Zero Day Initiative
  Security:     FreeBSD-SA-20:12.libalias

Modified:
  head/sys/netinet/libalias/alias.c
----

As a result, ng_nat (in our case) passes fragmented [UDP] packets unaliased,
both first fragment and any subsequent ones. This would also affect other users
of sys/libalias, not just ng_nat.

-- 
You are receiving this mail because:
You are the assignee for the bug.