From nobody Tue Feb 11 10:32:59 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ysd7b4MCpz5nMXP;
	Tue, 11 Feb 2025 10:32:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Ysd7b3Dq9z3t2N;
	Tue, 11 Feb 2025 10:32:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1739269979;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=4gTAjy+x5xCy0wMyivNvy5QaPslx4uZvjtf0zyEiB8I=;
	b=bNdC8R8lhbt3kEzL0X3kb7bPGw09WQS+TSDTM793Mj3ixaB820MYMsLA6YffmgctzpCVSC
	2FGPFDEMXsR9MOcMoAjxbdtqWArF0fhq1JgcE3eK2wTutYEPNIqf84tfkAeytIFlEaS98R
	tjfAOgZgX60EivoLMKJJHSc23TI939VfQE6bZARl6KF4JVoxkhOjR/AYqdN95BBFFeSGrL
	kjWQ3OqjawE1JyyJPF6XutphsIOT5NsmFnP/VNoXfjAt5SGODU6Ofw7CLdn23MdN7n+AZG
	sqPFl4pyXAwRU40pkPkTuhP8CibbR66Uf1oUqN81YzQVfuQnHr+YhKf8ZWIsXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1739269979;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=4gTAjy+x5xCy0wMyivNvy5QaPslx4uZvjtf0zyEiB8I=;
	b=WWYOLyq0WlpRMZOtrprFbzdo3U66cmzkCWTtd3pzX/JZSQv1rfg/QgvxrhndH0IgCKdmQM
	+Zy2aoXPscntAtT5VzYAbn5pb7R4OaWn+uUUodldOpLZArkRiSWRZDfOyyMW7LoZqJ56mv
	rDRcFL4JCF60SUyNLOuEgImDW4sxVQQQJgd/bdPofw1Jz2ZrfLY3+g6nM+5lSSpLpGYSe8
	i57fYPGqBKCVWGrWMB2HWY1/PxsOqXsd6164VJVH7ekIn0vQJaacZ1WptVQzfK33s+eAjp
	x+EELaSB1ArTwNd6AgS6l0raHstwozaV9qyw42oQLDUHvUWuRc+YfgKlEe13Iw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739269979; a=rsa-sha256; cv=none;
	b=hkOAMkNj3AjcXqbng5Fmrlahl771NRF8RnHHB6GeP2l+SGWQq1/C0n5aPCHnHbZBazApVY
	TaL3/i6kqXzFAkJyKqHiBkSnFxRdXV+7RkdbCYvskWrw+zC7EPLf+dyhJvyG6j0wQk7jv4
	8ypIjclnbZiE1XBq7sMu/cfw7ugaBJ2+CkQKljSE8ul6+zmPYDPg13WEzYYEQxpWh+NgJ8
	8n0dAZiVu65TqgCX7s5PFoH+NxyCXHABYBgG+13WbTQn3gM5owp206uhWnP2kVWZf+Set4
	gC16KDYzdo6uhbeToyid3pR6nLxhSesVvHVpxVCiGGSr0vWrxKkRGpzAO9VV8Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ysd7b2nz5z17XK;
	Tue, 11 Feb 2025 10:32:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51BAWx6C043048;
	Tue, 11 Feb 2025 10:32:59 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51BAWxbC043045;
	Tue, 11 Feb 2025 10:32:59 GMT
	(envelope-from git)
Date: Tue, 11 Feb 2025 10:32:59 GMT
Message-Id: <202502111032.51BAWxbC043045@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 8b2feafb535d - main - pf: fix fragment hole count
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 8b2feafb535d10a559b995c6fc2529715f927e2a
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8b2feafb535d10a559b995c6fc2529715f927e2a

commit 8b2feafb535d10a559b995c6fc2529715f927e2a
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-04 16:19:55 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-11 10:32:21 +0000

    pf: fix fragment hole count
    
    Fragment reassembly finishes when no holes are left in the fragment
    queue.  In certain overlap conditions, the hole counter was wrong
    and pf(4) created an incomplete IP packet.  Before adjusting the
    length, remove the overlapping fragment from the queue and insert
    it again afterwards.  pf_frent_remove() and pf_frent_insert() adjust
    the hole counter automatically.
    
    bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
    Guette and Pierre Chifflier; OK claudio@
    
    MFC after:      1 week
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 9915416fe8
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_norm.c | 33 ++++++++++-----------------------
 1 file changed, 10 insertions(+), 23 deletions(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index f096ea9e493f..7290ede8d393 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -534,7 +534,6 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 	struct pf_frent		*after, *next, *prev;
 	struct pf_fragment	*frag;
 	uint16_t		total;
-	int			old_index, new_index;
 
 	PF_FRAG_ASSERT();
 
@@ -648,32 +647,20 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 		uint16_t aftercut;
 
 		aftercut = frent->fe_off + frent->fe_len - after->fe_off;
-		DPFPRINTF(("adjust overlap %d\n", aftercut));
 		if (aftercut < after->fe_len) {
+			DPFPRINTF(("frag tail overlap %d", aftercut));
 			m_adj(after->fe_m, aftercut);
-			old_index = pf_frent_index(after);
+			/* Fragment may switch queue as fe_off changes */
+			pf_frent_remove(frag, after);
 			after->fe_off += aftercut;
 			after->fe_len -= aftercut;
-			new_index = pf_frent_index(after);
-			if (old_index != new_index) {
-				DPFPRINTF(("frag index %d, new %d\n",
-				    old_index, new_index));
-				/* Fragment switched queue as fe_off changed */
-				after->fe_off -= aftercut;
-				after->fe_len += aftercut;
-				/* Remove restored fragment from old queue */
-				pf_frent_remove(frag, after);
-				after->fe_off += aftercut;
-				after->fe_len -= aftercut;
-				/* Insert into correct queue */
-				if (pf_frent_insert(frag, after, prev)) {
-					DPFPRINTF(
-					    ("fragment requeue limit exceeded\n"));
-					m_freem(after->fe_m);
-					uma_zfree(V_pf_frent_z, after);
-					/* There is not way to recover */
-					goto bad_fragment;
-				}
+			/* Insert into correct queue */
+			if (pf_frent_insert(frag, after, prev)) {
+				DPFPRINTF(("fragment requeue limit exceeded"));
+				m_freem(after->fe_m);
+				uma_zfree(V_pf_frent_z, after);
+				/* There is not way to recover */
+				goto free_fragment;
 			}
 			break;
 		}