From nobody Tue Feb 18 17:43:14 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yy6Lr0MWqz5nwQJ;
	Tue, 18 Feb 2025 17:43:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Yy6Lq2wRPz3WfY;
	Tue, 18 Feb 2025 17:43:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739900595;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=PZcrdqxGVu5SckVoJ/R+eficLU8TY2Ikrvw3vO7MGng=;
	b=xMzdRKN648/wkL4BPkQ5dX+qCq33YiSgrJzM28Un0PIWVgS/jhqlYKKMxQYFYrHnivm6Mf
	ADG0+KiFkr5AzZqos6ZxUTUtOOjdWlTcA2pkatGd/kmwvnnEaL5hW2SvItnoY59xqV7TMI
	9gm3t8Cut7VzsRItrrNDIci5kXDrzNShas6m1f5hiYK9VHDjPH0x1JdOQk7VxQvkCNJUNI
	Y2I2Qic9p8SFN09ad6x/MyoZ9bURuv62LyNR/VRhjYjG9eIlIJznIvuXWM+Hl/130gr1vt
	sZvg4EVnHqnH8e4Jw+wFBN3DHgcpT6qf9cuLs4QxSBkWjSEsufx9VUB0jtIZSQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739900595; a=rsa-sha256; cv=none;
	b=wT4SvGs5b4gXMSWaZSVZRIrqB09U6OP+NytL4LL2UAwN/Qtuk0eFKAElkS1tB/+8aDLrU9
	b6mMucCoxkPySwEtDirJCM12eT0QfJsX7RXQJaONu2m8CBC2xNA7Cq6NdVTy9S1VPcDHS8
	qUPfIQvD+mryl86qbeQXSFJU0UyghGieuro9GCL/Tz/UD3n/QyIxdbM/bxBTKMdcZ+Xchg
	q/qmQqiA2a3g6O8YXzV3mrtGmLi2QGWpATFbfAD8OQ6q56WnPXStSUQR0cbjUjRww+blz5
	n5Dk47RG3qUGtIvo6npRbbPzS7ToS00HPS09zXxocr467Ljl/zdIPu1EviQ6CQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739900595;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=PZcrdqxGVu5SckVoJ/R+eficLU8TY2Ikrvw3vO7MGng=;
	b=bb+SsqPXfOzAel6wwsMtzx+OJHF6Jb68N9ZLEV5EkavFx4jHTTaf+GhBaXC0ax77GrvwpD
	YD7ZVH4+yK0lhYH++dfXTzxJvBADC3aq8jBbxT7JP71kC53OyqVy2AI+w8UnoYVA/vioka
	spDxCLiFwxGkQnKecXKZ39eBcNxOC7YSBIRLQL8F+vZymqQB9dXW+VtURyQRZ/fvnP5s6w
	B/zFPsnSHu19TlcBcbaEU5J55S7wgx50+laDaAyV9pbIMluIQ+7jrrItMNteBGrNxDPqso
	7vtm+N8Yr/rJ7k/ZTczCn/hXz2pTkThJDvrL01H7wCagLf5jH7yK7tvlUyVJNQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Yy6Lp5XwVzTt9;
	Tue, 18 Feb 2025 17:43:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51IHhEiZ021305;
	Tue, 18 Feb 2025 17:43:14 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51IHhEcq021302;
	Tue, 18 Feb 2025 17:43:14 GMT
	(envelope-from git)
Date: Tue, 18 Feb 2025 17:43:14 GMT
Message-Id: <202502181743.51IHhEcq021302@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: a5b6cff9a6ce - stable/13 - pf: do not keep state when
  dropping overlapping IPv6 fragments
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: a5b6cff9a6ce7f57c4489a715dd30254823a770b
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=a5b6cff9a6ce7f57c4489a715dd30254823a770b

commit a5b6cff9a6ce7f57c4489a715dd30254823a770b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-09 13:11:11 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-18 16:49:42 +0000

    pf: do not keep state when dropping overlapping IPv6 fragments
    
    ok sperreault@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, cd45765685
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 3b79f6d2d39405bcac395dc036ceb6f8fd09ce99)
---
 sys/netpfil/pf/pf_norm.c | 30 ++++++++----------------------
 1 file changed, 8 insertions(+), 22 deletions(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 936aa3c3c0e4..40296aff27bb 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -608,15 +608,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 		return (frag);
 	}
 
-	if (TAILQ_EMPTY(&frag->fr_queue)) {
-		/*
-		 * Overlapping IPv6 fragments have been detected.  Do not
-		 * reassemble packet but also drop future fragments.
-		 * This will be done for this ident/src/dst combination
-		 * until fragment queue timeout.
-		 */
-		goto drop_fragment;
-	}
+	KASSERT(!TAILQ_EMPTY(&frag->fr_queue), ("!TAILQ_EMPTY()->fr_queue"));
 
 	/* Remember maximum fragment len for refragmentation. */
 	if (frent->fe_len > frag->fr_maxlen)
@@ -653,7 +645,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 		uint16_t precut;
 
 		if (frag->fr_af == AF_INET6)
-			goto flush_fragentries;
+			goto free_fragment;
 
 		precut = prev->fe_off + prev->fe_len - frent->fe_off;
 		if (precut >= frent->fe_len) {
@@ -717,21 +709,15 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 
 	return (frag);
 
-flush_fragentries:
+free_fragment:
 	/*
-	 * RFC5722:  When reassembling an IPv6 datagram, if one or
-	 * more its constituent fragments is determined to be an
-	 * overlapping fragment, the entire datagram (and any constituent
-	 * fragments, including those not yet received) MUST be
-	 * silently discarded.
+	 * RFC 5722, Errata 3089:  When reassembling an IPv6 datagram, if one
+	 * or more its constituent fragments is determined to be an overlapping
+	 * fragment, the entire datagram (and any constituent fragments) MUST
+	 * be silently discarded.
 	 */
 	DPFPRINTF(("flush overlapping fragments\n"));
-	while ((prev = TAILQ_FIRST(&frag->fr_queue)) != NULL) {
-		TAILQ_REMOVE(&frag->fr_queue, prev, fr_next);
-
-		m_freem(prev->fe_m);
-		uma_zfree(V_pf_frent_z, prev);
-	}
+	pf_free_fragment(frag);
 
 bad_fragment:
 	REASON_SET(reason, PFRES_FRAG);