svn commit: r344706 - stable/12/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Fri Mar 1 18:12:07 UTC 2019
Author: kp
Date: Fri Mar 1 18:12:05 2019
New Revision: 344706
URL: https://svnweb.freebsd.org/changeset/base/344706
Log:
MFC r344691:
pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic
We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.
Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Approved by: so
Obtained from: OpenBSD
Security: CVE-2019-5597
Modified:
stable/12/sys/netpfil/pf/pf_norm.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/12/sys/netpfil/pf/pf_norm.c Fri Mar 1 16:16:38 2019 (r344705)
+++ stable/12/sys/netpfil/pf/pf_norm.c Fri Mar 1 18:12:05 2019 (r344706)
@@ -668,11 +668,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6,
}
/* We have all the data. */
+ frent = TAILQ_FIRST(&frag->fr_queue);
+ KASSERT(frent != NULL, ("frent != NULL"));
extoff = frent->fe_extoff;
maxlen = frag->fr_maxlen;
frag_id = frag->fr_id;
- frent = TAILQ_FIRST(&frag->fr_queue);
- KASSERT(frent != NULL, ("frent != NULL"));
total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off +
TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len;
hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag);
More information about the svn-src-stable
mailing list