svn commit: r338106 - stable/10/sys/netpfil/pf

Kristof Provost kp at FreeBSD.org
Mon Aug 20 15:43:09 UTC 2018 

Author: kp
Date: Mon Aug 20 15:43:08 2018
New Revision: 338106
URL: https://svnweb.freebsd.org/changeset/base/338106

Log:
  MFC r337969:
  
  pf: Limit the maximum number of fragments per packet
  
  Similar to the network stack issue fixed in r337782 pf did not limit the number
  of fragments per packet, which could be exploited to generate high CPU loads
  with a crafted series of packets.
  
  Limit each packet to no more than 64 fragments. This should be sufficient on
  typical networks to allow maximum-sized IP frames.
  
  This addresses the issue for both IPv4 and IPv6.
  
  Security:	CVE-2018-5391
  Sponsored by:	Klara Systems

Modified:
  stable/10/sys/netpfil/pf/pf_norm.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_norm.c	Mon Aug 20 14:35:54 2018	(r338105)
+++ stable/10/sys/netpfil/pf/pf_norm.c	Mon Aug 20 15:43:08 2018	(r338106)
@@ -95,8 +95,10 @@ struct pf_fragment {
 	uint16_t	fr_max;		/* fragment data max */
 	uint32_t	fr_timeout;
 	uint16_t	fr_maxlen;	/* maximum length of single fragment */
+	uint16_t	fr_entries;	/* Total number of pf_fragment entries */
 	TAILQ_HEAD(pf_fragq, pf_frent) fr_queue;
 };
+#define PF_MAX_FRENT_PER_FRAGMENT	64
 
 struct pf_fragment_tag {
 	uint16_t	ft_hdrlen;	/* header length of reassembled pkt */
@@ -436,6 +438,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
 		frag->fr_flags = 0;
 		frag->fr_timeout = time_uptime;
 		frag->fr_maxlen = frent->fe_len;
+		frag->fr_entries = 0;
 		TAILQ_INIT(&frag->fr_queue);
 
 		RB_INSERT(pf_frag_tree, &V_pf_frag_tree, frag);
@@ -447,6 +450,9 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
 		return (frag);
 	}
 
+	if (frag->fr_entries >= PF_MAX_FRENT_PER_FRAGMENT)
+		goto bad_fragment;
+
 	KASSERT(!TAILQ_EMPTY(&frag->fr_queue), ("!TAILQ_EMPTY()->fr_queue"));
 
 	/* Remember maximum fragment len for refragmentation. */
@@ -518,6 +524,8 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
 		TAILQ_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
 	else
 		TAILQ_INSERT_AFTER(&frag->fr_queue, prev, frent, fr_next);
+
+	frag->fr_entries++;
 
 	return (frag);

More information about the svn-src-all mailing list