svn commit: r317333 - in stable/11/sys: netinet6 netpfil/pf

Kristof Provost kp at FreeBSD.org
Sun Apr 23 08:58:51 UTC 2017 

Author: kp
Date: Sun Apr 23 08:58:50 2017
New Revision: 317333
URL: https://svnweb.freebsd.org/changeset/base/317333

Log:
  MFC r317186
  
  pf: Fix possible incorrect IPv6 fragmentation
  
  When forwarding pf tracks the size of the largest fragment in a fragmented
  packet, and refragments based on this size.
  It failed to ensure that this size was a multiple of 8 (as is required for all
  but the last fragment), so it could end up generating incorrect fragments.
  
  For example, if we received an 8 byte and 12 byte fragment pf would emit a first
  fragment with 12 bytes of payload and the final fragment would claim to be at
  offset 8 (not 12).
  
  We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
  other users won't make the same mistake.
  
  Reported by:	Antonios Atlasis <aatlasis at secfu net>

Modified:
  stable/11/sys/netinet6/ip6_output.c
  stable/11/sys/netpfil/pf/pf_norm.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet6/ip6_output.c
==============================================================================
--- stable/11/sys/netinet6/ip6_output.c	Sun Apr 23 08:45:55 2017	(r317332)
+++ stable/11/sys/netinet6/ip6_output.c	Sun Apr 23 08:58:50 2017	(r317333)
@@ -225,6 +225,8 @@ ip6_fragment(struct ifnet *ifp, struct m
 	int error;
 	int tlen = m0->m_pkthdr.len;
 
+	KASSERT(( mtu % 8 == 0), ("Fragment length must be a multiple of 8"));
+
 	m = m0;
 	ip6 = mtod(m, struct ip6_hdr *);
 	mnext = &m->m_nextpkt;

Modified: stable/11/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf_norm.c	Sun Apr 23 08:45:55 2017	(r317332)
+++ stable/11/sys/netpfil/pf/pf_norm.c	Sun Apr 23 08:58:50 2017	(r317333)
@@ -762,6 +762,10 @@ pf_refragment6(struct ifnet *ifp, struct
 		hdr->ip6_nxt = IPPROTO_FRAGMENT;
 	}
 
+	/* The MTU must be a multiple of 8 bytes, or we risk doing the
+	 * fragmentation wrong. */
+	maxlen = maxlen & ~7;
+
 	/*
 	 * Maxlen may be less than 8 if there was only a single
 	 * fragment.  As it was fragmented before, add a fragment

More information about the svn-src-stable-11 mailing list