Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Jul 2025 14:23:46 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 986abfeb9358 - main - pf: run Jumbogram check before we walk the headers
Message-ID:  <202507231423.56NENknb031111@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=986abfeb9358011af892f177c102dd3249196e02

commit 986abfeb9358011af892f177c102dd3249196e02
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-16 11:58:42 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-23 13:35:43 +0000

    pf: run Jumbogram check before we walk the headers
    
    While it is safe to run pf_walk_header6() on a packet with a 0 ip6_plen we're
    better off doing this check first. It's more obviously correct, and it's a very
    simple check to reject a packet.
    
    Suggested by:   emaste
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 9517e9b8c9bc..1310445c4063 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10149,6 +10149,15 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
 			return (-1);
 		}
 
+		/*
+		 * we do not support jumbogram.  if we keep going, zero ip6_plen
+		 * will do something bad, so drop the packet for now.
+		 */
+		if (htons(h->ip6_plen) == 0) {
+			*action = PF_DROP;
+			return (-1);
+		}
+
 		if (pf_walk_header6(pd, h, reason) != PF_PASS) {
 			*action = PF_DROP;
 			return (-1);
@@ -10168,15 +10177,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
 		pd->virtual_proto = (pd->fragoff != 0) ?
 		    PF_VPROTO_FRAGMENT : pd->proto;
 
-		/*
-		 * we do not support jumbogram.  if we keep going, zero ip6_plen
-		 * will do something bad, so drop the packet for now.
-		 */
-		if (htons(h->ip6_plen) == 0) {
-			*action = PF_DROP;
-			return (-1);
-		}
-
 		/* We do IP header normalization and packet reassembly here */
 		if (pf_normalize_ip6(pd->fragoff, reason, pd) !=
 		    PF_PASS) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507231423.56NENknb031111>