git: fd72bfa626bc - main - pf: ensure mbufs are long enough before we copy out IP(v6) headers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Jun 2022 08:43:42 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=fd72bfa626bcb9950eb2b057f224a7236e85e0af
commit fd72bfa626bcb9950eb2b057f224a7236e85e0af
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-06-24 07:41:00 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-28 08:31:23 +0000
pf: ensure mbufs are long enough before we copy out IP(v6) headers
This isn't likely to be an issue on real hardware (as Ethernet has a
minimal packet length of 64 bytes), but can cause panics with short
packets on if_epair.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 275e1fcdbeb4..94ec0645fdeb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3899,6 +3899,10 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
switch (proto) {
#ifdef INET
case ETHERTYPE_IP: {
+ if (m_length(m, NULL) < (sizeof(struct ether_header) +
+ sizeof(ip)))
+ return (PF_DROP);
+
af = AF_INET;
m_copydata(m, sizeof(struct ether_header), sizeof(ip),
(caddr_t)&ip);
@@ -3909,6 +3913,10 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
#endif /* INET */
#ifdef INET6
case ETHERTYPE_IPV6: {
+ if (m_length(m, NULL) < (sizeof(struct ether_header) +
+ sizeof(ip6)))
+ return (PF_DROP);
+
af = AF_INET6;
m_copydata(m, sizeof(struct ether_header), sizeof(ip6),
(caddr_t)&ip6);