[Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185633

--- Comment #16 from commit-hook at freebsd.org ---
A commit references this bug:

Author: kp
Date: Sun Oct  2 21:06:55 UTC 2016
New revision: 306593
URL: https://svnweb.freebsd.org/changeset/base/306593

Log:
  MFC r306289:

  bridge: Fix fragment handling and memory leak

  Fragmented UDP and ICMP packets were corrupted if a firewall with
reassembling
  feature (like pf'scrub) is enabled on the bridge.  This patch fixes corrupted
  packet problem and the panic (triggered easly with low RAM) as explain in PR
  185633.

  bridge_pfil and bridge_fragment relationship:

  bridge_pfil() receive (IN direction) packets and sent it to the firewall The
  firewall can be configured for reassembling fragmented packet (like
pf'scrubing)
  in one mbuf chain when bridge_pfil() need to send this reassembled packet to
the
  outgoing interface, it needs to re-fragment it by using bridge_fragment()
  bridge_fragment() had to split this mbuf (using ip_fragment) first then
  had to M_PREPEND each packet in the mbuf chain for adding Ethernet
  header.

  But M_PREPEND can sometime create a new mbuf on the begining of the mbuf
chain,
  then the "main" pointer of this mbuf chain should be updated and this case is
  tottaly forgotten. The original bridge_fragment code (Revision 158140,
  2006 April 29) came from OpenBSD, and the call to bridge_enqueue was
  embedded.  But on FreeBSD, bridge_enqueue() is done after bridge_fragment(),
  then the original OpenBSD code can't work as-it of FreeBSD.

  PR:             185633
  Submitted by:   Olivier Cochard-Labb?

Changes:
_U  stable/11/
  stable/11/sys/net/if_bridge.c

-- 
You are receiving this mail because:
You are the assignee for the bug.