git: 9fe189c79a81 - stable/14 - pf: improve ASCONF chunk validation
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 May 2026 16:25:56 UTC
The branch stable/14 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=9fe189c79a8161380800dcff1d15c4cea7467a7e
commit 9fe189c79a8161380800dcff1d15c4cea7467a7e
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-28 08:54:24 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-05-05 07:34:26 +0000
pf: improve ASCONF chunk validation
When processing an ASCONF chunk we failed to verify that the chunk
length was at least 8 bytes. As a result we might end up passing a
negative length to pf_multihome_scan(). Fortunately this merely meant
the function did nothing, but we should discard such invalid packets, so
explicitly check for this.
MFC after: 1 week
Reported by: Mark Johnston
Sponsored by: Orange Business Services
(cherry picked from commit bea1c2fcd7839fd90a8ce96d6dc6a033779bc3c2)
---
sys/netpfil/pf/pf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3eab758296a9..469087a040e1 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6707,6 +6707,9 @@ pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
NULL, NULL, pd->af))
return (PF_DROP);
+ if (ntohs(ah.ph.param_length) < sizeof(ah))
+ return (PF_DROP);
+
ret = pf_multihome_scan(m, start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
SCTP_ADD_IP_ADDRESS, true);
@@ -6724,6 +6727,10 @@ pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah),
NULL, NULL, pd->af))
return (PF_DROP);
+
+ if (ntohs(ah.ph.param_length) < sizeof(ah))
+ return (PF_DROP);
+
ret = pf_multihome_scan(m, start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
SCTP_DEL_IP_ADDRESS, true);