From nobody Wed May 20 15:34:52 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLFwD5Txpz6dyNK for ; Wed, 20 May 2026 15:34:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLFwD3Tb3z3nYh for ; Wed, 20 May 2026 15:34:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779291292; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qLJclGcUdspbdFFynDe8PZ0Flm4Clk2cOh47f1FQ/o0=; b=Rx9dMbCvC2BQnMzK7m7AZ2dROfMFXqGZ3I+edCNADTM/PQEwN/40dZqYuPfBTJhj6PAMSz dRBgHDe1YYT7lY9GvZ5KWJQIi0/jxGwSWYtxsd5R0yIUDfsSWKPDUDnmSiXfDM37CAYqo7 +G5+88e2f/P13KMbfWiUXMX3QkQMLYAl4rHH8oC01Iqk1WmYzsuAnB93B5q3GUsPS8uYoF 3tIt7CJ0xmjEse3D5oeDqHT3MNb4y6ywgAA/5CTUXtOwUeYgdCoJ8gevQDqCJwF9KuhG4j dCOeCgQBOqhkdmfy0U7VuK1LHE/Mns2IL0hTaYg/JsT33yWUc9Q5MEHa6Rv3zA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779291292; a=rsa-sha256; cv=none; b=oW3iqbnidtLFcc5yZQGUl2ymWL7ZchmJ25BW6sKWw6Nbj3UcOI8yIB59C8MhlIIKROM066 a3JaU072dP0bFoskPD+4fzdsaXGAmcDgSOpBorJWo99r6VbMfEp6L9EHbJA4k5mXKLRcgB yNcMAxdnEg7uH5WgoIxBDGrDfQ/gHR0v4XO5RnSCtXm8p3r0c7qDbP70vXxKkK+8IFS+0m VpZ1YOB/PDEHH4x7DjJ1+5zscMKBc4502lLl5zIlDHfrJ7oMpAKbL6XIAWP9b40TCoCr83 vViaBgNEuy4wh48TQOp05NnN56Fz4Z6NvOISp7i8hoUHDY8ikhvYg550rV8xcg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779291292; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qLJclGcUdspbdFFynDe8PZ0Flm4Clk2cOh47f1FQ/o0=; b=IJ8cUYlpY28P2UEmeEvqZmybrFat1eq75xviNex+/RfT3lDedGP+VYdWMnTUcrnbk/hT3u DJdqx4NMByUMpY9VHR4pgacLMlxg7JDnZ5oKzTpIoEnt/yz9s0vnOfSTP73n4dWML+kW6L TXj0icndFqOarhg3F7W3q/E/CaPyTV/EEID3cgZpKGzCW/MLSqjrG3zij8Kz5zF5Ksw/cc TPI47LZ5QU4RXKqRk3B5S2VljfmTqPaZiagMhSjkejXbL7TOtBiUHlljVOjEk+ENem9aS8 ktJL/4GJjBSHGcmDLGoAP5EvgEtGlLp4hEJ0sQXipoN4fr6BLSh0iQABo29gnA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLFwD2S4Qz16XJ for ; Wed, 20 May 2026 15:34:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45e35 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 20 May 2026 15:34:52 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 8dfb0805fc31 - main - ipfilter: Validate length before checksum List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8dfb0805fc31cd78940429ab0560dae7e8ab6536 Auto-Submitted: auto-generated Date: Wed, 20 May 2026 15:34:52 +0000 Message-Id: <6a0dd49c.45e35.f3ed5e8@gitrepo.freebsd.org> The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=8dfb0805fc31cd78940429ab0560dae7e8ab6536 commit 8dfb0805fc31cd78940429ab0560dae7e8ab6536 Author: Cy Schubert AuthorDate: 2026-05-11 15:44:52 +0000 Commit: Cy Schubert CommitDate: 2026-05-20 15:32:37 +0000 ipfilter: Validate length before checksum Validate the length of the packet listed in the mbuf is the same as the calculated packet length. If not reject the packet and bump the bad packet stat. PR: 295198 MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D57095 --- sys/netpfil/ipfilter/netinet/fil.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 9217572aac50..cabc6c350981 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1991,7 +1991,7 @@ ipf_checkcipso(fr_info_t *fin, u_char *s, int ol) /* ------------------------------------------------------------------------ */ /* Function: ipf_makefrip */ -/* Returns: int - 0 == packet ok, -1 == packet freed */ +/* Returns: int - 0 == packet ok, -1 == packet freed or bad length */ /* Parameters: hlen(I) - length of IP packet header */ /* ip(I) - pointer to the IP header */ /* fin(IO) - pointer to packet information */ @@ -2019,14 +2019,23 @@ ipf_makefrip(int hlen, ip_t *ip, fr_info_t *fin) if (v == 4) { fin->fin_plen = ntohs(ip->ip_len); fin->fin_dlen = fin->fin_plen - hlen; - ipf_pr_ipv4hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_bad); + return (-1); + } else { + ipf_pr_ipv4hdr(fin); + } #ifdef USE_INET6 } else if (v == 6) { fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); fin->fin_dlen = fin->fin_plen; fin->fin_plen += hlen; - - ipf_pr_ipv6hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); + return (-1); + } else { + ipf_pr_ipv6hdr(fin); + } #endif } if (fin->fin_ip == NULL) {