git: a66d33fcf334 - releng/14.1 - pf: allow MLD LR to be sent without state

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 07 Aug 2024 13:44:25 UTC
The branch releng/14.1 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=a66d33fcf334ec0b8f5a13575f9788b269f4a3fa

commit a66d33fcf334ec0b8f5a13575f9788b269f4a3fa
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-07-10 12:36:18 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-08-07 13:32:20 +0000

    pf: allow MLD LR to be sent without state
    
    Change PF behavior to allow MLD Listener Report packets to be sent
    without needing a previously created state by MLD Listener Query. It
    wasn't working because: (1) you might not have a previous MLD Listener
    Query and (2) the addresses of the Query and Report don't match.
    
    ok mikeb@, sashan@
    
    Approved by:    so
    Security:       FreeBSD-SA-24:05.pf
    Security:       CVE-2024-6640
    MFC after:      1 day
    Obtained From:  OpenBSD, rzalamena <rzalamena@openbsd.org>, 5c526dbdb0f2
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 1afe4da75d1d2acd33b25eea942af28aa41c82c2)
    (cherry picked from commit 3382c691dc6a0d4e1f39ff67b5507f6542972498)
---
 sys/netpfil/pf/pf.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 275c29d20fd5..1cc85edfe3dc 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1843,8 +1843,15 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
 			break;
 
 		case MLD_LISTENER_QUERY:
-			*icmp_dir = PF_IN;
 		case MLD_LISTENER_REPORT: {
+			/*
+			 * Listener Report can be sent by clients
+			 * without an associated Listener Query.
+			 * In addition to that, when Report is sent as a
+			 * reply to a Query its source and destination
+			 * address are different.
+			 */
+			*icmp_dir = PF_IN;
 			*virtual_type = MLD_LISTENER_QUERY;
 			*virtual_id = 0;
 			break;