From nobody Tue Feb 18 17:43:15 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yy6Ls0fCTz5nwf5;
	Tue, 18 Feb 2025 17:43:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Yy6Lr0jZgz3Wfd;
	Tue, 18 Feb 2025 17:43:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739900596;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bt0YVcMiEt9QBJaWLlVT6OrkHxfOxd9LM8hKoc8FHPs=;
	b=TwVw1YHI+urdf6L7QQZOy+a5B0ltgC7aXjIRyQIhjTfUch+M9L5A5Jrg75tAKNZxDS5q76
	jJTbhJNEVG77LHaHOPSn7Ytpi0N2gKl9cXyFADlGmWrktiMXCKnSWr51v123TCtBqNm50q
	m2B0yt5hdK1VIqyxJEyt+QH0HXCMd3OexOxMOMImBBy4yVNzhhACVZA1hVksA1l6FLxYiZ
	A+408fmaMYxChGZwJ+gTnhkr4qJ00kaGVeiADI4LgIY6Gi5K7qLHq41dm4pq8EwSSxMJa1
	ESxBTkQ4xAH968zo500lwuNQq5dyaYVC9I6RJtGj5D53s3JZGIDTG0iUfMw2Bw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739900596; a=rsa-sha256; cv=none;
	b=BljjSiCgYL0lHc80BUNbqPB0R9LOvUpL3ZuHP/MvJINy/m40wS/PrwLxcDuWs5UcALlYVc
	PZh55LWAzq6a3f4Lf2WpjeXLZa5DZGHL9ae+cjxQz+nSCQWCMWwT8h3SLXjQqldlcKXRVI
	lP/z7jPyMB5aOY3ZdASJN6VBhnCGTlk6Ec+rhw9THDl69I6kzAM1txpbmNuwrmGfeyLBLn
	Io+P6+dSpv2bsMs/F7KlYkJs7/92dIYKdV13AsLBArdxPYlQq3i0lSHgikVcwQIPqF5vAJ
	Cwj75JLy+S8RexFt1202AqSQuNb8ThWhPY+Lo2hjJHohkEDnt5M0zLk+SuaD6g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739900596;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bt0YVcMiEt9QBJaWLlVT6OrkHxfOxd9LM8hKoc8FHPs=;
	b=ALI0qkKiprcxvO1BYn8ESlvp7Hvep2Iz+2X+516dkcJpCUzvPH14Dz6T5bcG7vV5C1MNh3
	cyCMjVMQLSSv5LdX/iP0eN2j+aPZ6qd79EZnb14CyHNtuZin0SmVwEfVpxIsf2bPkkgEG0
	Z9pH0Wb3YJs+OOhwLFLXZDCesZktKosHblnBDbgtBN8S5erktuWWNzcfR6VKfIcMtxiQOo
	WUo3uiKlpdKWi5Q+fQlMnoHRwWvvAVBZha3PZyQYTLB3fk8nZosZLPAjzSXxz+us5v9pAf
	hKtiMwKRg1IQJeEzSN7cL41h6eDybBsfkx+DyjQlNjQcNk023gQMUHSaeLPAmA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Yy6Lq6kSfzDXc;
	Tue, 18 Feb 2025 17:43:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51IHhFnJ021372;
	Tue, 18 Feb 2025 17:43:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51IHhF2M021363;
	Tue, 18 Feb 2025 17:43:15 GMT
	(envelope-from git)
Date: Tue, 18 Feb 2025 17:43:15 GMT
Message-Id: <202502181743.51IHhF2M021363@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 2e0f053ad52b - stable/14 - pf: fix fragment hole count
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 2e0f053ad52b38bd8bca72f817d7347df87dbe98
Auto-Submitted: auto-generated

The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=2e0f053ad52b38bd8bca72f817d7347df87dbe98

commit 2e0f053ad52b38bd8bca72f817d7347df87dbe98
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-04 16:19:55 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-18 17:40:26 +0000

    pf: fix fragment hole count
    
    Fragment reassembly finishes when no holes are left in the fragment
    queue.  In certain overlap conditions, the hole counter was wrong
    and pf(4) created an incomplete IP packet.  Before adjusting the
    length, remove the overlapping fragment from the queue and insert
    it again afterwards.  pf_frent_remove() and pf_frent_insert() adjust
    the hole counter automatically.
    
    bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
    Guette and Pierre Chifflier; OK claudio@
    
    MFC after:      1 week
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 9915416fe8
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 8b2feafb535d10a559b995c6fc2529715f927e2a)
---
 sys/netpfil/pf/pf_norm.c | 33 ++++++++++-----------------------
 1 file changed, 10 insertions(+), 23 deletions(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index e6e1549d3689..414dc258cfa5 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -547,7 +547,6 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 	struct pf_frent		*after, *next, *prev;
 	struct pf_fragment	*frag;
 	uint16_t		total;
-	int			old_index, new_index;
 
 	PF_FRAG_ASSERT();
 
@@ -661,32 +660,20 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 		uint16_t aftercut;
 
 		aftercut = frent->fe_off + frent->fe_len - after->fe_off;
-		DPFPRINTF(("adjust overlap %d\n", aftercut));
 		if (aftercut < after->fe_len) {
+			DPFPRINTF(("frag tail overlap %d", aftercut));
 			m_adj(after->fe_m, aftercut);
-			old_index = pf_frent_index(after);
+			/* Fragment may switch queue as fe_off changes */
+			pf_frent_remove(frag, after);
 			after->fe_off += aftercut;
 			after->fe_len -= aftercut;
-			new_index = pf_frent_index(after);
-			if (old_index != new_index) {
-				DPFPRINTF(("frag index %d, new %d\n",
-				    old_index, new_index));
-				/* Fragment switched queue as fe_off changed */
-				after->fe_off -= aftercut;
-				after->fe_len += aftercut;
-				/* Remove restored fragment from old queue */
-				pf_frent_remove(frag, after);
-				after->fe_off += aftercut;
-				after->fe_len -= aftercut;
-				/* Insert into correct queue */
-				if (pf_frent_insert(frag, after, prev)) {
-					DPFPRINTF(
-					    ("fragment requeue limit exceeded\n"));
-					m_freem(after->fe_m);
-					uma_zfree(V_pf_frent_z, after);
-					/* There is not way to recover */
-					goto bad_fragment;
-				}
+			/* Insert into correct queue */
+			if (pf_frent_insert(frag, after, prev)) {
+				DPFPRINTF(("fragment requeue limit exceeded"));
+				m_freem(after->fe_m);
+				uma_zfree(V_pf_frent_z, after);
+				/* There is not way to recover */
+				goto free_fragment;
 			}
 			break;
 		}