git: af1b05bb32b5 - stable/12 - pf: Fix IP checksum on reassembly
Kristof Provost
kp at FreeBSD.org
Fri May 7 15:26:03 UTC 2021
The branch stable/12 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=af1b05bb32b5440dd999853bd7c01a5b8c0d73f4
commit af1b05bb32b5440dd999853bd7c01a5b8c0d73f4
Author: Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-04-28 10:56:06 +0000
Commit: Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-05-07 08:17:50 +0000
pf: Fix IP checksum on reassembly
If we reassemble a packet we modify the IP header (to set the length and
remove the fragment offset information), but we failed to update the
checksum. On certain setups (mostly where we did not re-fragment again
afterwards) this could lead to us sending out packets with incorrect
checksums.
PR: 255432
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30026
(cherry picked from commit 055c55abefbe19fe46a56894595af9c9dad7678c)
---
sys/netpfil/pf/pf_norm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 2a3c1d442fd4..8f970b68373b 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -790,7 +790,11 @@ pf_reassemble(struct mbuf **m0, struct ip *ip, int dir, u_short *reason)
}
ip = mtod(m, struct ip *);
+ ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_len,
+ htons(hdrlen + total), 0);
ip->ip_len = htons(hdrlen + total);
+ ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_off,
+ ip->ip_off & ~(IP_MF|IP_OFFMASK), 0);
ip->ip_off &= ~(IP_MF|IP_OFFMASK);
if (hdrlen + total > IP_MAXPACKET) {
More information about the dev-commits-src-all
mailing list