From nobody Tue Feb 18 17:43:15 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yy6Ls0pfnz5nwQK;
	Tue, 18 Feb 2025 17:43:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Yy6Lr0rTWz3Wff;
	Tue, 18 Feb 2025 17:43:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739900596;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WSwAEuVhqKZ3m1IBiJhmEXWQb2n3kwysAyhWR1KR3zA=;
	b=Vuqx3jmljUqAq1S6Qk7lUiVrioM+EKuARrOCF12GHN1FYVTWZ55ix/JySvoxhhv7IYJvEu
	whhOCA5Gi4ozA5XJdHnSDvu/Sy7XcmVHXDAzT1cHKoucUGxjxKJg1V6B6zmZtkMRA6fVb2
	CjbgIAAix58s93VhjGm4P4BE0agWjqf/GRRR42CIl754pJ9w67tMaeqs8LLh0eVMbSxEP0
	QPs8+yawHNIJex2lcU9KfAgwArRRMUFuzbrO33lyEK6aqBXof2bS0wAgkxOwu/TYFEVjYO
	3S6EqOu4svp+AuHxClG0PdKy+HlSFaoRABnND+VlLf8bH5KZJSXRdZIH5YHOqw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739900596; a=rsa-sha256; cv=none;
	b=IuiNVJjEp5ZyW+gWdCEzCivce2g6LoPzS3lVE4ssn7IigdCF8PTi38bE09yMajg1TqpxaY
	LKgqbeZ3JK2ex2aevqVbro0b8cnajD9WPviX8R4qaH4gnwUFjM4gBGAzuURL9bOPGV6AXl
	NpZxjw8/glRX4vBPRQ6v3Z1v3WdHFEjZj9RWMlOYxwY8cho6K/a9cwvrn9c38jL/KvShnT
	CIzPRU09paDUpAHwLjn+W7ESbPbiyyWglV+P4bRafRr1fGNwVzGVIekzFJbd6foteg/32o
	fuQbcKZZROx0GhyB4lUo8TGTE2/sAc2P4irL3dVBOuO5evrQ8OrWGgbOiS0crQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739900596;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WSwAEuVhqKZ3m1IBiJhmEXWQb2n3kwysAyhWR1KR3zA=;
	b=rC29zDYS5k+ezvekp1S/2pMlQBhaMGvzIe5PBz+zvCjj4hn8uANL9A2oARNMKKIvCPqrcX
	Iumnq95N0r1AjLY1YQOLe0CgRNe6FYYOlZqrzF125Ii1T0NFXZU/FJfNQux7js/smn1sUV
	dzEqPoimfCdt+cJvfkdcgwlMC3iG3kpUPLXSn/xUKKTmYQzxPBr/4DpWrQNeB/WwoTS0V+
	h/daL+k9e0i8BYazPd68Zh+VXdkrsEN6Rtxhct4lUFFh1vzf679oSS27o5TLcLCJy5CsFD
	ntqeLUhwuOUJ1r9itnNljHV0au6CkBXqjAc4litrvQK/1mPvDfLuT/WDuX8fVw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Yy6Lq6vh5zV70;
	Tue, 18 Feb 2025 17:43:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51IHhFEl021371;
	Tue, 18 Feb 2025 17:43:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51IHhF07021368;
	Tue, 18 Feb 2025 17:43:15 GMT
	(envelope-from git)
Date: Tue, 18 Feb 2025 17:43:15 GMT
Message-Id: <202502181743.51IHhF07021368@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: f84494807ec4 - stable/13 - pf: fix fragment hole count
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: f84494807ec4cc393e09bc6e37d574fd2a691f4a
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=f84494807ec4cc393e09bc6e37d574fd2a691f4a

commit f84494807ec4cc393e09bc6e37d574fd2a691f4a
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-04 16:19:55 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-18 16:49:42 +0000

    pf: fix fragment hole count
    
    Fragment reassembly finishes when no holes are left in the fragment
    queue.  In certain overlap conditions, the hole counter was wrong
    and pf(4) created an incomplete IP packet.  Before adjusting the
    length, remove the overlapping fragment from the queue and insert
    it again afterwards.  pf_frent_remove() and pf_frent_insert() adjust
    the hole counter automatically.
    
    bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
    Guette and Pierre Chifflier; OK claudio@
    
    MFC after:      1 week
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 9915416fe8
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 8b2feafb535d10a559b995c6fc2529715f927e2a)
---
 sys/netpfil/pf/pf_norm.c | 33 ++++++++++-----------------------
 1 file changed, 10 insertions(+), 23 deletions(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 40296aff27bb..38d92c372da5 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -549,7 +549,6 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 	struct pf_frent		*after, *next, *prev;
 	struct pf_fragment	*frag;
 	uint16_t		total;
-	int			old_index, new_index;
 
 	PF_FRAG_ASSERT();
 
@@ -663,32 +662,20 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 		uint16_t aftercut;
 
 		aftercut = frent->fe_off + frent->fe_len - after->fe_off;
-		DPFPRINTF(("adjust overlap %d\n", aftercut));
 		if (aftercut < after->fe_len) {
+			DPFPRINTF(("frag tail overlap %d", aftercut));
 			m_adj(after->fe_m, aftercut);
-			old_index = pf_frent_index(after);
+			/* Fragment may switch queue as fe_off changes */
+			pf_frent_remove(frag, after);
 			after->fe_off += aftercut;
 			after->fe_len -= aftercut;
-			new_index = pf_frent_index(after);
-			if (old_index != new_index) {
-				DPFPRINTF(("frag index %d, new %d\n",
-				    old_index, new_index));
-				/* Fragment switched queue as fe_off changed */
-				after->fe_off -= aftercut;
-				after->fe_len += aftercut;
-				/* Remove restored fragment from old queue */
-				pf_frent_remove(frag, after);
-				after->fe_off += aftercut;
-				after->fe_len -= aftercut;
-				/* Insert into correct queue */
-				if (pf_frent_insert(frag, after, prev)) {
-					DPFPRINTF(
-					    ("fragment requeue limit exceeded\n"));
-					m_freem(after->fe_m);
-					uma_zfree(V_pf_frent_z, after);
-					/* There is not way to recover */
-					goto bad_fragment;
-				}
+			/* Insert into correct queue */
+			if (pf_frent_insert(frag, after, prev)) {
+				DPFPRINTF(("fragment requeue limit exceeded"));
+				m_freem(after->fe_m);
+				uma_zfree(V_pf_frent_z, after);
+				/* There is not way to recover */
+				goto free_fragment;
 			}
 			break;
 		}