From nobody Wed Jul 23 14:23:52 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bnGbG1DHjz62P57; Wed, 23 Jul 2025 14:23:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bnGbD732Bz3pV5; Wed, 23 Jul 2025 14:23:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753280633; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EVW/7jKnImLTu/taGnh9+GBFCRGZEpX4xlxt/GYM/j0=; b=UfdjDLbkQmA7n8hsEANzRJP7WwdESMUh1ptR3E0w7QYxgPFvMSTxIl8a4PAkriJwVRcmII IR3rAlXj3xG8e88D+TSGKf3bWMF486IOensqE1NqAbSI3MqomnOVZjSR0NO6j9KtxurxSA WlQXPVpMQwvLt4LqxbdCew+yG2lAjrh7cEYfmJUdUOx+IbNxBbOUSKoaPwH5xc50i7wk3W 11/vTlYHQNFodaH30YduqXB8Go/RCS3zoP3uX8ximLcOHoiaDrYZTGDSV21MiE5J4H/afC PW8z88BEBtqKV8T/a+880FdZ1gXBHiwLFDzUKR5HH+FqbdaJrIr1RmUXx7fQTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753280633; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EVW/7jKnImLTu/taGnh9+GBFCRGZEpX4xlxt/GYM/j0=; b=pLSoRBQX3yKRXHJ94YRw5XkD8sStbbYT+s+ETCPvE9liuGuDJ6eWgmE7yA5EhIMG2E6SAf x6J2IJtQk5t8v8NeAUp/asM+OIEaYFYCqGepBwGzgzcv2b/8HvCkwiGeaWgE4DSdGXNsdW t5NbqrHWJtGLNGDokh162e7YgXcQVIAN17DM2FENxjjovetKyTssSxkX3hh5YJCOFynetv 1uOxGaYizkwpdf9DsK1H/cEDVeAjtVDDXaqrONr0wnTuXeYcs8mKEawAc69ET8ed+Z0I2W QmhX0z1b4+gFvLl5hc5OXgquKthcCnTdqRfFQgmk2eIFgrfAVO+ePgtZEsYHzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753280633; a=rsa-sha256; cv=none; b=xsXYPIGM8eCYqNgj/gB5OQS30AK0nt10mJpyk3i6eHjkc5hG39Z1EVkbTYnGMGl78uWUzj U/lP/jTmNTkfMFriiq4MzIdMkyQ3uOW41Zo0GMVrfP6Jz38SLe3LEk3t5TFup1KFwB3+ER d5gkaRveNcJNDrqm5x+32IjP5uKtMx+6Yxfz3UBlusMi3pM7Co3mPz+nPTMPL8/qp66kV+ fQwc3PY8RLWU8DXAcC4rf1vcufHwyqgPWefD3a7hnhYYU05hQD1jqnQN2lzvqg4ZB+kDdj ary2DKQlbUBSTzQwTmyXxj9a18QOZx6g7MDWwU541rQ3fM2mCLt3SHaDY584OA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bnGbD6FMYz1pm; Wed, 23 Jul 2025 14:23:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56NENqsa031329; Wed, 23 Jul 2025 14:23:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56NENqiU031326; Wed, 23 Jul 2025 14:23:52 GMT (envelope-from git) Date: Wed, 23 Jul 2025 14:23:52 GMT Message-Id: <202507231423.56NENqiU031326@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: a00d0cad0aab - main - pf: handle truncated IP options in ICMP List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a00d0cad0aab8aee22521cd753fa9a1bab6d6531 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a00d0cad0aab8aee22521cd753fa9a1bab6d6531 commit a00d0cad0aab8aee22521cd753fa9a1bab6d6531 Author: Kristof Provost AuthorDate: 2025-07-18 13:04:18 +0000 Commit: Kristof Provost CommitDate: 2025-07-23 13:35:46 +0000 pf: handle truncated IP options in ICMP In pf the kernel paniced if IP options in packet within ICMP payload were truncated. Drop such packets instead. Reported-by: syzbot+91abd3aa2fdfe900f9ce@syzkaller.appspotmail.com OK sashan@ claudio@ Obtained from: OpenBSD, bluhm , 0271abd8e4 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 20641fbcbce4..9ef69ee09bb8 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9805,6 +9805,13 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end, { uint8_t type, length, opts[15 * 4 - sizeof(struct ip)]; + /* IP header in payload of ICMP packet may be too short */ + if (pd->m->m_pkthdr.len < end) { + DPFPRINTF(PF_DEBUG_MISC, ("IP option too short\n")); + REASON_SET(reason, PFRES_SHORT); + return (PF_DROP); + } + MPASS(end - off <= sizeof(opts)); m_copydata(pd->m, off, end - off, opts); end -= off;