From nobody Fri May 09 22:16:17 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZvNcx6hpPz5wCgl; Fri, 09 May 2025 22:16:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZvNcx5h2Pz3RKQ; Fri, 09 May 2025 22:16:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1746828977; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=c+onh/glvkRNq1BYU2W7OJkOLdzX9djhhup7ahT+mgI=; b=Y3RMp2vQH4IB+brzqzOIbfpfwddtCf/rziaEJTbsihMOtDoBpHkgk2OQveAol86iLQXul2 s+GFU9GLABlKBvmV5dKjL9i+pI1dKRbfUfi6mi8b1brinejmNkDzdhxmvDtbpNPWI3iLV3 mCbuMS/37yyK8LNewbi9hAzO3fYwvh51JPAFbDLCpVQ0xgyH63e+ufnuUIIvKWxePLJCfQ YBnSSjaNMOYPoD7re2hINEMSV6Wkfn4H1vp34gKplTuW2/p5Y8/dGZhkA/YpjX3SC+8y91 5RPzsTBHMx8EkOM/IFAs8bOBXcAOZBkzuwH8u//gRNqjhvyQXaO7hH/YVXQmvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1746828977; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=c+onh/glvkRNq1BYU2W7OJkOLdzX9djhhup7ahT+mgI=; b=jAfKu/kP2flqO3X4tr5SiVbjxDdUhgH6LzKchA4u8pNawv9gk4SjVsQIsObsZj1f0kFjZ1 t4R+acuwM2+7+ZZiejtLbD3VGgGMKjpkIBqYyt/+LH2IubCOceH3vBDLTZrrhnOdiwBeGJ h0mQ8odoZUZyjlm3vb7Ux/l65iGSVhTIkRvfkH0gPeyhDGg6z+GWY5J4ySn1biYujqbb7/ Q32dlzHglxT+p2YILPyle6OUYLJfniNTORe+uCmIBECDoN2C+Q40rW7LTtR3tCXkpozAnT Ywi6dJVJJ4PrNX7iVFBEYubV4NGzEK01j3jLa5gjocQ7Nm3KTrnGfxS+TRCnkQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1746828977; a=rsa-sha256; cv=none; b=V5+YE60fgP3s0VzAtfhrPUijP5FxTUyvOhW9cPEZSMBzd0umsoZscvHdsIrKs6oGam+Fiz vxNx/eR7MhIbv67nmqZxvyhGqjH+k9ZO/SUKT7kZC8nUULGP9+VEGTUtPO7gViV4cSQbQV yc4L1tu/fVZaPDUFF3LbglZL8ToBYQvR3zxbikl+KDgs51McCr0NSCYNunGU9/Z6CGlmpW 0iRkRXZiaPO+pTyPVRYb6CmRC+ZpHrbOwtfH1L5ESZX1vAkgweqnDu7Bw8JgAFrjcpzAd7 Tke0hbahrl5FHwFnaW3QB3aBbRKgqNp2Az1yLZfLRfq851wskPl06Xd6RzNjGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZvNcx51DPz3YN; Fri, 09 May 2025 22:16:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 549MGHkJ062916; Fri, 9 May 2025 22:16:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 549MGHhp062913; Fri, 9 May 2025 22:16:17 GMT (envelope-from git) Date: Fri, 9 May 2025 22:16:17 GMT Message-Id: <202505092216.549MGHhp062913@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 130b5e3f536e - main - pf: be more strict about IPv6 fragments List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 130b5e3f536e322f3e96ad1d786cbac3592f10c3 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=130b5e3f536e322f3e96ad1d786cbac3592f10c3 commit 130b5e3f536e322f3e96ad1d786cbac3592f10c3 Author: Kristof Provost AuthorDate: 2025-05-08 14:52:53 +0000 Commit: Kristof Provost CommitDate: 2025-05-09 20:49:28 +0000 pf: be more strict about IPv6 fragments Follow RFC 5722 more strictly when handling overlapping fragments in pf. Drop the whole fragment state if IPv6 fragments appear which have invalid length or fragment-offset or more-fragment-bit. In IPv4 they are considered invalid and just dropped like before. Found by Antonios Atlasis; OK sashan@ sthen@ Obtained from: OpenBSD, bluhm , f0f63321f2 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_norm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index c77895d1829d..8157ea556591 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -603,16 +603,16 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent, /* Non terminal fragments must have more fragments flag. */ if (frent->fe_off + frent->fe_len < total && !frent->fe_mff) - goto bad_fragment; + goto free_ipv6_fragment; /* Check if we saw the last fragment already. */ if (!TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_mff) { if (frent->fe_off + frent->fe_len > total || (frent->fe_off + frent->fe_len == total && frent->fe_mff)) - goto bad_fragment; + goto free_ipv6_fragment; } else { if (frent->fe_off + frent->fe_len == total && !frent->fe_mff) - goto bad_fragment; + goto free_ipv6_fragment; } /* Find neighbors for newly inserted fragment */ @@ -680,6 +680,9 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent, return (frag); +free_ipv6_fragment: + if (frag->fr_af == AF_INET) + goto bad_fragment; free_fragment: /* * RFC 5722, Errata 3089: When reassembling an IPv6 datagram, if one