git: 730fb48f1387 - stable/15 - pf: improve ASCONF chunk validation
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 May 2026 16:25:55 UTC
The branch stable/15 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=730fb48f1387812ab82ea3b0ef807e6824425318
commit 730fb48f1387812ab82ea3b0ef807e6824425318
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-28 08:54:24 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-05-05 07:33:23 +0000
pf: improve ASCONF chunk validation
When processing an ASCONF chunk we failed to verify that the chunk
length was at least 8 bytes. As a result we might end up passing a
negative length to pf_multihome_scan(). Fortunately this merely meant
the function did nothing, but we should discard such invalid packets, so
explicitly check for this.
MFC after: 1 week
Reported by: Mark Johnston
Sponsored by: Orange Business Services
(cherry picked from commit bea1c2fcd7839fd90a8ce96d6dc6a033779bc3c2)
---
sys/netpfil/pf/pf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 7aee28e7b917..05a71cd45a35 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7794,6 +7794,9 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op, bool asconf)
NULL, NULL, pd->af))
return (PF_DROP);
+ if (ntohs(ah.ph.param_length) < sizeof(ah))
+ return (PF_DROP);
+
ret = pf_multihome_scan(start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_ADD_IP_ADDRESS, true);
@@ -7811,6 +7814,10 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op, bool asconf)
if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
NULL, NULL, pd->af))
return (PF_DROP);
+
+ if (ntohs(ah.ph.param_length) < sizeof(ah))
+ return (PF_DROP);
+
ret = pf_multihome_scan(start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_DEL_IP_ADDRESS, true);