From nobody Wed Feb 12 19:39:10 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YtTCP0rYWz5nGsR; Wed, 12 Feb 2025 19:39:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YtTCL1q0nz3XfS; Wed, 12 Feb 2025 19:39:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739389150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Vs9C6WaYfFQouQKnYC17m6OIng/wqkOKZth3HEFJwKI=; b=sPXUL2a28TXFStSBwdCKmGYox/TtJnrUqZNukJX+LpA/k1nKgJag4bCo1tfvkvazV7Zfr6 Xrltut7kEmX2RbfrofhFCEpxL3y+WNmiWPC2cXOMlD6WxP6PWdh4vH2dmyeya50viSJOVy RijdkkYBTnIrxuqDk/gEDU9hW0bAaMFAGy+PLt5hFsHizx7fyIcI7pSuCxGIG2Y62/gHyu DfYE9ZGqObCHbXq+xFERZm4DfCf/4rUorsFFklosQKk9BeFtKVFnYguKZCO8IDaoZOY9OD nMpI+wosLOK8/Y11nQxRJ+PNLyrgDQWb4aA4owcMnbPNJWsEbM0fJQfXaFut8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739389150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Vs9C6WaYfFQouQKnYC17m6OIng/wqkOKZth3HEFJwKI=; b=KH/0DpiAyICBW/37Ma5PFSqKeTm2Qskj7MyZfcJX46yjKqd18SyV+uJ+MF1nWgKqs1/de3 SQl6dMoazDs22OQgLbraTbeG1DzIBPECIJJnAoIt26O8CdcEun3rgNcgJv+tqzJqNv9K4Y fqeXIYwOAVB6oRA4jZzXnXH1QyMVbXSvFGcTC14ANtPbxsbaZps7bB7JveWSSd+vhZ+PMi 8RaP4s8tDzoT8gnOz9s6CEgp33Kn0XRN46C6fj1qOQbmXK+OUJCHWizxDxfqr0V+qPTETs iv+gT89p1F60R9Dyhye2r/3zyd8vrr8uRrgzqlYn6Koaz/C5iiHV0gNVZihUMw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739389150; a=rsa-sha256; cv=none; b=xG47swoj8DcgLe2bVUUWJMUNpl5htWG7CEwbWoAV8U2Vxy1WS7BhfA7C67RQsReBq/VCUV +lwQsVTvzq4pVzQ1xv+IVUXtzUgDTGql3YIyDvTrT+DNjkIuyTUqXzh6TgXw5g1cQXRJBo 5Cbcs9vPcocXCcRIUaoNPZGsnMOOoFpNebh3c6tk7yoJSUgvOChStp6sfr0U19N46RRtuV 2hIvyag1lYr35mD9M60Buopl3RDHWvO+7/Jadgv9ExHCID0Kvx0xZpdrY/Fe+svPv9d2pd 5aPQYq9/faE8fxD1ulZFZOXM4SQpONr1fx0JxvWRGBD1RoqXZgwa8YZbkTHZCw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YtTCL1D9Cz1BtR; Wed, 12 Feb 2025 19:39:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51CJdATw061746; Wed, 12 Feb 2025 19:39:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51CJdAB0061743; Wed, 12 Feb 2025 19:39:10 GMT (envelope-from git) Date: Wed, 12 Feb 2025 19:39:10 GMT Message-Id: <202502121939.51CJdAB0061743@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: d62832e21a0e - main - pf: make length overlow protection more obvious List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d62832e21a0e396470bbe072ad33496e708db582 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d62832e21a0e396470bbe072ad33496e708db582 commit d62832e21a0e396470bbe072ad33496e708db582 Author: Kristof Provost AuthorDate: 2025-02-06 15:43:14 +0000 Commit: Kristof Provost CommitDate: 2025-02-12 19:38:38 +0000 pf: make length overlow protection more obvious Before pulling the TCP options from the mbuf onto the stack, do an additional length check in pf_modulate_sack() and pf_normalize_mss(). Overflow cannot happen due to the restricted values in the length calculation. As this is not obvious, be better safe than sorry. OK henning@ Obtained from: OpenBSD, henning , a9e7ebb0d5 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 2 +- sys/netpfil/pf/pf_norm.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3a56e6855d6f..6fdc0996324b 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -3867,7 +3867,7 @@ pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, struct sackblk sack; #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) - if (hlen < TCPOLEN_SACKLEN || + if (hlen < TCPOLEN_SACKLEN || hlen > MAX_TCPOPTLEN || !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) return 0; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 7290ede8d393..6546f8684a68 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1945,8 +1945,8 @@ pf_normalize_mss(struct pf_pdesc *pd) thoff = th->th_off << 2; cnt = thoff - sizeof(struct tcphdr); - if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt, - NULL, NULL, pd->af)) + if (cnt <= 0 || cnt > MAX_TCPOPTLEN || !pf_pull_hdr(pd->m, + pd->off + sizeof(*th), opts, cnt, NULL, NULL, pd->af)) return (0); for (; cnt > 0; cnt -= optlen, optp += optlen) {